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Preface 


This book is a complete discussion of state-of-the-art technology used in identification, 
acquisition, and forensic analysis of mobile devices with the iOS operating system. It 
is a practical guide that will help investigators understand how to manage scenarios 
efficiently during their daily work on this type of mobile devices. 

The need for a practical guide in this area arises from the growing popularity of iOS 
devices and the different scenarios that an investigator may face, according to the 
type of device, the version of the operating system, and the presence or absence of 
security systems (code lock, backup password, and so on). 

The book is divided (conceptually) into four areas. The first part deals with the 
basic concepts related to methods and guidelines to be followed in the treatment of 
digital evidence and information specific to an iOS device. The second part covers 
the basic techniques and tools for acquisition and analysis of an iOS device. The 
third part goes deep into the methods of extracting data when you do not have the 
physical device available, which means you need to depend on backup and iCloud. 
Finally, the fourth part provides an overview of issues related to the analysis of iOS 
applications and malware. 

For those who are new to this field, we recommend a sequential reading of the book, 
since the arguments are processed in the order of the main phases of a forensic 
investigation (identification, acquisition, and analysis). For the more experienced 
readers, and for those who routinely deal with this type of devices, the book can 
be considered as a useful tool to evaluate different techniques, depending on the 
type of case that you have to handle. 
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What this book covers 

Chapter 1, Digital and Mobile Forensics, is an introduction to the most important concepts 
and definitions in the field of digital and mobile forensics, and the life cycle of the 
digital evidence, which includes identification, acquisition, analysis, and reporting. 

Chapter 2, Introduction to iOS Devices, contains useful information and references that 
will help you learn how to identify the various types of devices (such as iPhone, 
iPad, and iPod Touch) with respect to their model and iOS version. It also contains 
basic information about the filesystem used on a specific kind of device. 

Chapter 3, Evidence Acquisition from iDevices, explains how to acquire data from iOS 
devices with respect to their model and iOS version, which was introduced in the 
previous chapter. Physical, logical, and advanced logical acquisitions are discussed, 
along with the most useful techniques on how to crack or bypass the passcode set by 
the user. This chapter presents examples of acquisitions realized with various tools, 
and provides a useful flow chart before dealing with the acquisition stage. 

Chapter 4, Analyzing iOS Devices, provides a complete set of information on how to 
analyze data stored in the acquired device. Both preinstalled (such as address book, 
call history, SMS, MMS, and Safari) and third-party applications (such as chat, social 
network, and cloud storage) are explained, with particular attention to the core 
artifacts and how to search and recover them. 

Chapter 5, Evidence Acquisition and Analysis from iTunes Backup, gives an overview on 
how to deal with the analysis of an iTunes backup taken from a PC or a Mac, focusing 
on how to read its content and how to try to attack a protected password set by the 
user. This chapter also explains how to recover passwords stored in the device when 
the backup is not protected by a password of its own or when the analyst is able to 
crack it. 

Chapter 6, Evidence Acquisition and Analysis from iCloud, deals with the case in which 
the owner is using iCloud to store the device backup. You will learn how to recover 
the credentials or the authorization token useful to retrieve the information stored 
in Apple servers. 

Chapter 7, Applications and Malware Analysis, is an introduction to the core concepts 
and tools used to perform an application assessment from a security point of view. 
You will also learn how to deal with mobile malware that may be present 
on jailbroken devices. 

Appendix A, References, is a complete set of references that will help you understand 
some core concepts explained in the book so that you can go deeper into 
specific topics. 
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Appendix B, Tools for iOS Forensics, is a comprehensive collection of open source, 
freeware, and commercial tools used to acquire and analyze the content of iOS devices. 

Appendix C, Self-test Answers, contains the answers to the questions asked in the 
chapters of the book. 

Appendix D, iOS 8 - What It Changes for Forensic Investigators, is an add-on covering 
the recent news and challenges introduced by the latest version of iOS available 
at the time of writing this book. This is not present in the book but is available 
as an online chapter at https : //www . packtpub . com/ sites/default/files/ 
downloads/3 8 150S_Appendix . pdf. 

What you need for this book 

This book is designed to allow you to use different operating platforms (Windows, 
Mac, and Linux) through freeware, open source software, and commercial software. 
Many of the examples shown can be replicated using either the software tested by 
the authors or equivalent solutions that have been mentioned in Appendix B, Tools 
for iOS Forensics. Some specific cases require the use of commercial platforms, and 
among those, we preferred the platforms that we use in our daily work as forensic 
analysts (such as Cellebrite UFED, Oxygen Forensics, Elcomsoft iOS Forensic Toolkit, 
and Elcomsoft Phone Breaker). In any case, we were inspired by the principles 
of ease of use, completeness of information extracted, and the correctness of the 
presentation of the results by the software. This book is not meant to be a form of 
advertising for the aforementioned software in any way, and we encourage you 
to repeat the tests carried out on one operating platform on other platforms and 
software applications as well. 


Who this book is for 

This book is intended mainly for a technical audience, and more specifically 
for forensic analysts (or digital investigators) who need to acquire and analyze 
information from mobile devices running iOS. This book is also useful for computer 
security experts and penetration testers because it addresses some issues that must be 
definitely taken into consideration before the deployment of this type of mobile devices 
in business environments or situations where data security is a necessary condition. 
Finally, this book can be also of interest to developers of mobile applications, and they 
can learn what data is stored in these devices where the application is used. Thus, 
they will be able to improve security. 
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Conventions 


In this book, you will find a number of styles of text that distinguish among different 
kinds of information. Here are some examples of these styles, and explanations of 
their meanings. 

Code words in text, database table names, folder names, filenames, file extensions, 
pathnames, dummy URLs, user input, and Twitter handles are shown as follows: 
"Compile the source file by simply typing the make command." 

A URL is written as follows: 

http : //www . sqlite . org/ 

A pathname is written as follows: 

/private/var/root/Library/Lockdown/ data_ark .plist 

Any command-line input or output is written as follows: 

$ iproxy 2222 22 
$ ssh usb 

New terms and important words are shown in bold. Words that you see on the screen, 
in menus or dialog boxes for example, appear in the text like this: "The first popup 
appears on the computer in iTunes and it requests the user to click on Continue." 



] 

1 


Warnings or important notes appear in a box like this. 



L ^ Tips and trick; 

Reader feedback 


Tips and tricks appear like this. 


Feedback from our readers is always welcome. Let us know what you think about 
this book— what you liked or may have disliked. Reader feedback is important for us 
to develop titles that you really get the most out of. 

To send us general feedback, simply send an e-mail to f eedback@packtpub . com, 
and mention the book title via the subject of your message. 

If there is a topic that you have expertise in and you are interested in either writing 
or contributing to a book, see our author guide on www.packtpub . com/authors. 
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Customer support 

Now that you are the proud owner of a Packt book, we have a number of things to 
help you to get the most from your purchase. 

Downloading the color images of this book 

We also provide you with a PDF file that has color images of the screenshots/ 
diagrams used in this book. The color images will help you better understand the 
changes in the output. You can download this file from https : //www . packtpub . 
com/ s ites/default /files/downloads/3 8 150S_Color Images .pdf. 


Errata 

Although we have taken every care to ensure the accuracy of our content, mistakes do 
happen. If you find a mistake in one of our books — maybe a mistake in the text or the 
code— we would be grateful if you would report this to us. By doing so, you can save 
other readers from frustration and help us improve subsequent versions of this book. 
If you find any errata, please report them by visiting http : / /www . packtpub . com/ 
submit-errata, selecting your book, clicking on the errata submission form link, 
and entering the details of your errata. Once your errata are verified, your submission 
will be accepted and the errata will be uploaded on our website, or added to any list 
of existing errata, under the Errata section of that title. Any existing errata can be 
viewed by selecting your title from http : / /www . packtpub . com/support. 

Piracy 

Piracy of copyright material on the Internet is an ongoing problem across all media. 
At Packt, we take the protection of our copyright and licenses very seriously. If you 
come across any illegal copies of our works, in any form, on the Internet, please 
provide us with the location address or website name immediately so that we can 
pursue a remedy. 

Please contact us at copyright@packtpub . com with a link to the suspected 
pirated material. 

We appreciate your help in protecting our authors, and our ability to bring you 
valuable content. 

Questions 

You can contact us at questions@packtpub . com if you are having a problem with 
any aspect of the book, and we will do our best to address it. 


[ 5 ] 





Digital and Mobile Forensics 

In this chapter, we will quickly go through the definition and principles of digital 
forensics and, more specifically, of mobile forensics. We will understand what digital 
evidence is and how to properly handle it and, last but not least, we will cover the 
methodology for the identification and preservation of mobile evidences. 


Digital forensics 

Not so long ago we would be talking mainly, if not solely, about computer forensics 
and computer crimes, such as an attacker breaking into a computer network system 
and stealing data. This would involve two types of offense: unlawful/ unauthorized 
access and data theft. As cellphones became more popular, the new field of mobile 
forensics developed. 

Nowadays, things have changed radically and are still changing at a quite fast pace 
as the technology evolves. Digital forensics, which includes all disciplines dealing 
with electronic evidences is also being applied to common crimes, to those that, 
at least by definition, are not strictly IT crimes. Today more than ever we live in a 
society that is fully digitalized, and people are equipped with any kind of device, 
which have different types of capabilities but all of them process, store, and transmit 
information (mainly over the Internet). This means that forensic investigators have to 
be able to deal with all these devices. 



Digital and Mobile Forensics 


As defined at the first Digital Forensics Research Workshop (DFRWS) in 2001, 
digital forensics is stated as: 

" The use of scientifically derived and proven methods toward the preservation, 
collection, validation, identification, analysis, interpretation, documentation and 
presentation of digital evidence derived from digital sources for the purpose of 
facilitating or furthering the reconstruction of events found to be criminal, or helping 
to anticipate unauthorized actions shown to be disruptive to planned operations." 

As Casey asserted in (Casey, 2011): 

"In this modern age, it is hard to imagine a crime that does not have a digital 
dimension." 

Criminals of all kinds use technology to facilitate their offenses, to communicate with 
their peers, to recruit other criminals, to launder money, commit credit card fraud, to 
gather information on their victims, and so on. This obviously creates new challenges 
for all the different actors involved such as attorneys, judges, law enforcement 
agents, as well as forensic examiners. 

Among the cases solved in the last years, there were kidnappings where the 
kidnapper was caught thanks to the request for the ransom sent by e-mail from his 
mobile phone. There have been many cases of industrial espionage where unfaithful 
employees were hiding projects in the memory card of their smartphones, cases of 
drug dealing solved, thanks to evidence found in the backup of mobile phones that 
were on the computer, and many others. Even the largest robberies of our time are 
now being conducted via computer networks. 


Mobile forensics 

Mobile forensics is the digital forensics field of study, focusing on mobile devices. 
Among the different digital forensics fields, mobile forensics is without doubt the 
fastest growing and evolving area of study, having an impact on many different 
situations from corporate to criminal investigations, to intelligence gathering, which 
is every day higher. Moreover, the importance of mobile forensics is increasing 
exponentially due to the continuous and fast growth of the mobile market. One 
of the most interesting peculiarities of mobile forensics is that mobile devices, 
particularly mobile phones, usually belong to a single individual, while this is not 
always the case with a computer that may be shared among employees of a company 
or members of a family. For this reason, their analysis gives access to plenty of 
personal information. 
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Mobile devices present many new challenges from a forensics perspective. 
Additionally, new models of phones are being developed all around the world with 
new phones being released every week. Such variety of mobile devices makes it 
difficult, or almost impossible, to develop a single solution, whether a process or a 
tool, to address all possible scenarios. 

Just think of all the applications people have installed in their smartphones: IM clients, 
web browsers, social networks clients, password managers, navigation systems, and 
much more, other than the "default" classic ones such as an address book, which can 
provide a lot more information other than just the phone number for each contact 
that has been saved. Moreover, syncing such devices with the computer has become 
a very easy and smooth process, and all user activities, schedules, to-do lists, and 
everything else is stored inside the smartphone. Isn't that enough to profile a person 
and reconstruct all their recent activities, other than building the network of contacts? 

Finally, in addition to such a variety of smartphones and operating systems such as 
Apple iOS, Google Android, Blackberry OS, and Microsoft Windows Phone, there is 
a massive number of so-called "feature phones" using older mobile OS systems. 

Therefore, it's pretty clear that when talking about mobile/ smartphones forensics, 
there is so much more than just phone call printouts. In fact, with a complete 
examination, we can retrieve SMS/MMS, pictures, videos, installed applications, 
e-mails, geolocation data, and so on, both present and deleted information. 

Digital evidence 

Other than bringing a whole new series of challenges and complexity, the positive 
aspect to the increasing use of technology by criminals, and in particular, the 
involvement of mobile devices, has resulted in a high availability of digital evidence 
that can be used to track down and prosecute offenders. Moreover, while classical 
physical evidence may be destroyed, digital evidence, most of the time, leaves 
several traces. 

Over the years, there have been several definitions of what digital evidence actually 
is, some of them focusing particularly on the evidentiary aspects of proof to be used 
in court, such as the one proposed by the Standard Working Group on Digital 
Evidence (SWGDE), stating that: 

" Digital evidence is any information of probative value that is either stored or 
transmitted in a digital form." 


[ 9 ] 



Digital and Mobile Forensics 


The definition proposed by the International Organization of Computer Evidence 
(IOCE) states: 

"Digital evidence is information stored or transmitted in binary form that may be 
relied on in court . " 

The definition given by E. Casey (Casey, 2000), refers to digital evidence as: 

" Physical objects that can establish that a crime has been committed, can provide 
a link between a crime and its victim, or can provide a link between a crime and 
its perpetrator." 

While all of them are correct, as previously said, all of these definitions focus mostly 
on proof and tend to disregard data that are simply useful to an investigation. 

For this reason and for the purpose of this book, we will refer to the definition given 
by Carrier in 2006 (Carrier, 2006) where digital evidence is defined as: 

"Digital data that supports or refutes a hypothesis about digital events or the state 
of digital data . " 

This definition is a more general one, but matches better with the current state of 
digital evidence and its value within the entire investigation process. 

Also from a standardization point of view, there have been, and still are, many 
attempts to define guidelines and best practices for digital forensics on how to handle 
digital evidence. Other than several guidelines and special publications from NIST, 
there is a new standard from ISO/IEC that has been released in 2012, the ISO 27037 
Guidelines for identification, collection and/or acquisition and preservation of digital evidence, 
which is not specific to mobile forensics but it's related to digital forensics in general, 
aiming to build a standard procedure for collecting and handling digital evidence, 
which will be legally recognized and accepted in court in different countries. This 
is a really important goal if you consider the "lack of borders" in the Internet era, 
particularly when it comes to digital crimes where illicit actions can be perpetrated by 
attackers from anywhere in the world. 
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Identification, collection, and 
preservation of evidence 

In order to be useful in court, but also during the entire investigation phase, digital 
evidence must be collected, preserved, and analyzed in a forensically sound manner. 
This means that each single step, from the identification to the reporting, has to be 
carefully and strictly followed. Historically, we have used to refer to a methodology 
as forensically sound if and only if it would imply the original source of evidence to 
remain unmodified and unaltered. This was mostly true when talking about classical 
computer forensics, in scenarios where the forensic practitioner found the computer 
switched off or had to deal with external hard drives, although not completely true 
even in these situations. But since the rise of live forensics, this concept has become 
more and more untrue. In fact, methods and tools for acquiring memory from live 
systems inevitably alter, even if just a little bit, the target system where they are run 
on. The advent of mobile forensics stresses even more this concept, because mobile 
devices, smartphones in particular, are networked devices, continuously exchanging 
data through several communication protocols such as GSM/ CDMA, Wi-Fi, 
Bluetooth, and so on. Moreover, in order to make an acquisition of a mobile device, 
forensic practitioners need to have some degree of interaction with the device. Based 
on the type, a smartphone can need more or less interaction, altering in this way the 
"original" state of the device. 

All of this does not mean that preservation of the source evidence is useless, but 
that it is nearly impossible in the mobile field. Therefore, it becomes of extreme 
importance to thoroughly document every single step taken during the collection, 
preservation, and acquisition phases. Using this approach, forensic practitioners will 
be able to demonstrate that they have been as un-intrusive as possible. As stated in 
{Casey, 2011): 

" One of the keys to forensic soundness is documentation. A solid case is built on 
supporting documentation that reports on where the evidence originated and how it 
was handled. From a forensic standpoint, the acquisition process should change the 
original evidence as little as possible and any changes should be documented and 
assessed in the context of the final analytical results." 
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When in the presence of mobile devices to be collected, it is good practice for the 
forensic practitioner to consider the following points: 

• Take note of the current location where the device has been found. 

• Report the device status (switched on or off, broken screen, and so on). 

• Report date, time, and other information visible on the screen in case the 
device is switched on, for example, by taking a picture of the screen. 

• Look very carefully for the presence of memory cards. Although it is not 
the case of the iOS devices, generally many mobile phones have a slot for an 
external memory card, where pictures and chat databases are usually stored 
and many other types of user data. 

• Look very carefully for the presence of cables related to the mobile phone 
that is being collected, especially if you don't have a full set of cables in your 
lab. Many mobile phones have their own cables to connect to the computer 
and to recharge the battery. 

• Search for the original Subscriber Identity Module (SIM) package, because 
that is where the PIN and PIN unblocking key (PUK) codes are written. 

• Take pictures of every item before collection. 

But modifications in mobile devices can happen not only because of the interaction 
with the forensic practitioner but also due to interaction with the network, voluntary 
or not. In fact digital evidence in mobile devices can be lost completely as they are 
susceptible to being overwritten by new data, for example, the smartphone receiving 
an SMS while it is being collected, thus overwriting possible evidence previously 
stored in the same area of memory of the newly arrived SMS, or upon receiving a 
remote wiping command over a wireless network. Most of today's smartphone and 
iOS devices can be configured to be completely wiped remotely. 



From a real case 

While searching inside the house of a person under 
investigation, law enforcement agents found and seized, 
among other things, computers and a smartphone. After 
cataloguing and documenting everything, they put all the 
material into boxes to bring them back to the barracks. Once 
back in their laboratory, when taking the smartphone to 
acquire it in order to proceed with the forensics analysis, they 
noticed the smartphone was "empty" and like "brand new". 
The owner had wiped it remotely. 
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Therefore, isolating the mobile device from all radio networks is a fundamental step 
in the process of preservation of the evidence. There are several ways to achieve this, 
all with their own pros and cons, as follows: 

• Airplane mode: Enabling Airplane mode on a device requires some sort 
of interaction, which may pose some risks of modification by the forensic 
practitioner. This is one of the best possible options since it implies that all 
wireless communication chips are switched off. In this case, it is always good 
to document the action taken also with pictures and/or videos. Normally, 
this is possible only if the phone is not password-protected or, in this case, 
the password is known. However, for iDevices with iOS 7 or higher, it is also 
possible to enable airplane mode by lifting the dock from the bottom, where 
there will be a button with the shape of a plane. This is possible only if the 
Access on Lock Screen option is enabled from Settings | Control Center. 

• Faraday's bag: This item is a sort of envelope made of conducting material, 
which blocks out static electric fields and electromagnetic radiations, 
completely isolating the device from communicating with external networks. 
It is based, as the name suggests, on Faraday's law. This is the most common 
solution, particularly useful when the device is being carried from the 
crime scene to the lab after the seizure. However, the use of Faraday's bag 
will make the phone continuously search for a network, which will cause 
the battery to quickly drain. Unfortunately, it is also risky to plug a power 
cable outside that will go inside the bag, because this may act as antenna. 
Moreover, it is important to keep in mind that when you remove it from the 
bag (once arrived in the lab) the phone will again be exposed to the network, 
so you would need either a shielded lab environment or a Faraday solution 
that would allow you to access the phone while it is still inside the shielded 
container, without the need for external power cables. 

• Jamming: A jammer is used to prevent a wireless device from 
communicating by sending out radio waves along the same frequencies of 
that device. In our case, it would jam the GSM/ UMTS/ LTE frequencies that 
mobile phones use to connect with cellular base stations to send/ receive 
data. Beware that this practice may be considered illegal in some countries, 
since it will also create interferences to any other mobile device in the range 
of the jammer, disrupting their communications too. 

• Switching off the device: This is a very risky practice because it may activate 
authentication mechanisms, such as PIN codes or passcodes that are not 
available to the forensic practitioner, or encryption mechanisms, with the risk 
of delaying or even blocking the acquisition of the mobile device. 
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• Removing the SIM card: Although in most mobile devices this operation 
implies removing the battery and therefore all the risks and consequences 
we just mentioned regarding switching off the device, in the iOS devices 
this task is quite straightforward and easy, and it does not imply removing 
the battery (in iOS devices this is not possible). Moreover, SIMs can have 
PIN protection enabled; by removing it from the phone it may lock the SIM, 
preventing its content from being displayed. However, bear in mind that 
removing the SIM card will isolate the device only from the cellular network 
while other networks, such as Wi-Fi or Bluetooth, may still be active and 
therefore need to be addressed. 



The preceding image shows a SIM card extracted from an iPhone with just a clip, 
taken from http : //www . maclif e . com/. 

Chain of custody 

Talking about documenting and the preservation of digital evidence, one of the 
most important steps is the correct and comprehensive compilation of the chain of 
custody. The purpose of this document is twofold: on one hand, to keep record of 
each person who handled the evidence, enabling the identification of access and 
movement of potential digital evidence at any given point in time; and on the other 
hand, to maintain documentation demonstrating that the digital evidence has not 
been altered since it was collected while passing through the hands of the several 
analysts listed in the document. 
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Therefore, some of the information that the chain of custody should contain is as 
follows: 


• A unique evidence identifier 

• Who accessed the evidence and the time and location it took place 

• Who checked the evidence in and out from the evidence preservation 
facility and when 

• Motivations about why the evidence was checked out 

• It must provide the hash value(s) of the evidence in order to prove that it 
has not been tampered with since it was last assigned to the previous person 
listed in the chain of custody 

• Although the forensics investigation must never be performed directly on 
the original device/ file, this can be done if any unavoidable changes to the 
potential digital evidence have to be performed and the justification for the 
introduction of such changes, as well as the name of the individual responsible 

The following image shows a sample of chain custody proposed by NIST: 


EVIDENCE CHAIN OF CUSTODY TRACKING FORM 


Case Number: Offense: 

Submitting Officer: (Name/ID#) 

Victim: 

Suspect: 

Date/Time Seized: Location of Seizure: 


Description of Evidence 

Item 

# 

Quantity 

Description of Item (Model, Serial #, Condition, Marks, Scratches) 








Chain of Custody 

Item 

# 

Dote/Time 

Released by 

(Signature & ID#) 

Received by 

(Signature & ID#) 

Comments/Location 
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Going operational - from acquisition 
to reporting 

Especially in mobile forensics, where information visible may be more volatile, but 
also in classical computer forensics, sometimes there may be the urgency to acquire 
the data available. Information may vanish before being able to isolate or properly 
handle the device. In such cases, effective on-scene triage processes and tools may 
preserve evidence that would otherwise be lost. Such processes may include taking 
immediate pictures or videos recording the screen of the device before proceeding 
with any other type of operation. 

Having said that, once the mobile device has been handled correctly, forensic 
practitioners may proceed with the acquisition of the evidence from the device. 

In mobile forensics, and particularly for iOS devices, there are the following three 
different types of possible acquisition: 

• Physical: This is the optimal and most desired option. A physical 
acquisition consists of an exact "bit-to-bit" copy of the device. This 
is the most comprehensive option since it also allows you to recover 
potentially deleted files. 

• File System: This is the second best option when physical acquisition is 
not possible for whatever reason. This type of acquisition lets the forensic 
practitioner extract all the files visible at file system level. In this way, it will 
be possible to analyze all active files, those that would be visible by browsing 
the file system, but it will not be possible to recover potentially deleted files. 

• Logical: With this type of acquisition, it is possible to extract part of the 
file system. It consists of the data available by performing the backup of 
the device, via iTunes in the case of iOS devices. Unfortunately, on iOS, a 
logical/backup acquisition does not extract important files such as e-mails, 
geolocation databases, the app cache folder, and so on. Although it is the least 
comprehensive of the three, sometimes this may be the only option available. 

The preceding three acquisition methods are the main methods for acquiring an 
iOS device, we will see more about this in detail later. In the next chapters, we 
will dive deep into each of the different methodologies, explaining how to behave in 
every different possible situation and we will see most of the different tools available 
for performing the acquisition and further analysis of a physical file system and 
logical acquisition. 
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Mobile forensics, however, may also include the need to adopt some "offensive 
security" techniques. Depending on the device model and iOS version, in order to 
make a physical acquisition we may need to jailbreak the device, hopefully with a 
tethered technique so that modifications will not be persistent on the device and it will 
be restored once restarted. Even in cases when we can only perform an untethered 
jailbreak, such modifications will affect only the iOS device system partition, leaving 
the user partition unchanged and therefore the evidence preserved. 

Another offensive technique we may need to use is password cracking. As we will 
see later, often we may find ourselves in front of a password-protected device. Also 
according to the different models and iOS versions, it may be possible to perform 
brute force attacks at the passcode set by the user. 

All of these more "invasive" techniques will need to be fully documented in the 
final report, detailing methodology, techniques, and tools used. It is very important, 
especially because of their invasiveness, to know very well the tools and techniques 
used in order to be able to explain what and where modifications have happened, 
and why they did not alter the evidence to the point of compromising it. Good 
reporting is the key. 

Evidence integrity 

It has been mentioned already multiple times that when handling mobile devices, it is 
basically always impossible not to interact with the device and therefore alter to some 
extent its current status. However, this does not mean that in mobile forensics there 
is no need or reason to put in place mechanisms of evidence integrity. In fact, once 
the acquisition has been completed, there must be in place some integrity verification 
mechanism for the data that has been extracted from the mobile device, be it an iTunes 
backup, a full physical acquisition, or simply a single file. In digital forensics, such a 
process of verifying the integrity of digital evidence is completed by comparing the 
digital fingerprint of the evidence taken at the time of acquisition with the digital 
fingerprint of the evidence in the current state. Such a fingerprint is also known as a 
hash value or message digest. Hashing functions are specific one-way mathematic 
functions such that given any input of arbitrary length, it will produce as result an 
output of a fixed given length. The same input will always produce the same output. 
This means that even if a single bit is changed, the new hash value will be completely 
different. The following table shows how simply by modifying only the case of two 
characters in the same sentence, the resulted hash value is completely different: 


Input value 

MD5 output 

ios Forensics book 

9effa61083b07al64c5471d020fa4306 

iOS Forensics book 

e6196elb4f 0dl535244eaab534428542 
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The two most common algorithms used to calculate hash values are MD5 and SHA-1. 
The MD5 algorithm produces an output value of 128-bit, while the SHA-1 algorithm 
produces an output of 160-bit. The other important characteristic of this type of 
algorithms is that it is computationally unfeasible and highly improbable to produce 
two messages with the same digest, or even less producing a message with a specified 
target digest. This problem is known as collision. Although researchers have found 
that two files that have the same hash value can be generated for both MD5 and SHA- 
1, this has been proved only under certain controlled conditions. Fortunately, this 
type of hash collision does not invalidate the use of MD5 or SHA-1 to document the 
integrity of digital evidence. Since it is basically impossible to produce two files that 
have the same MD5 and SHA-1 hash value (or in general two hash values generated 
by two different independent algorithms), it is a good practice to generate both MD5 
and SHA-1 hash values for each piece of digital evidence produced or collected. 


SIM cards 

When conducting forensic examinations of mobile devices, it is also important to 
acquire and analyze the contents of associated SIM cards. The SIM is a type of smart 
card that allows the mobile device to connect to the cellular network through the 
cryptographic keys embedded in the SIM itself. The SIM is mainly characterized by 
the following two different codes that can be retrieved: 

• Integrated Circuit Card Identification (ICCID): This code is a 20 digit code 
that internationally and univocally identifies each SIM card 

• International Mobile Subscriber Identity (IMSI): This is a unique number 
15 digits long (somewhere, like in South Africa, it's 14), which univocally 
identifies a user inside the mobile network 

Although it is not the case with iOS devices, there might be multiple SIM cards that 
an individual uses within the same device for different purposes, since some mobile 
devices support functioning with dual SIM cards. 

In addition, the storage capacity and utilization of SIM cards has increased a lot and 
may contain a big amount of relevant information. Just to give you an idea of the 
amount of data that could be possible to store (or hide) inside a SIM, consider that 
inside a 128 Kb standard SIM card, it is possible to write up to 17 Kb of data. The 
whole United States Declaration of Independence takes just 11 Kb. 
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Some of the useful information to recover from a SIM card may be the list of 
incoming/ outgoing phone calls, contacts information, the SMS content, for which it 
is possible to recover even those that have been deleted, and the location of the last 
cell to which the device was connected. 

Looking into the details of the SIM card (Gubian, 2007), it is possible to see the 
hierarchical n-ary structure of the file system that has three different kinds of files, 
with the content of each file defined in the following GSM technical specification 
(GSM 11.11): 

• 3F = Master File (MF): Its structure is composed just by a header and it is 
the root of the file system in the SIM card. Its address, which is the offset for 
every other file, is 3F00. 

• 7F/5F = Dedicated File (DF): As for the MF, its structure is composed just 
by a header plus EFs. A DF can be compared to a normal directory/ folder 
in our PC. 

• 2F = Elementary file (EF) under the master file and 6F/4F = Elementary file 
under a dedicated file: Its structure is composed by a header plus a body, 
which represents itself (for example, the SMS). 

The following diagram gives an example of this hierarchical structure (the file system 
structure of a SIM): 
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The GSM technical specification already provides some files with common names. 
Some of the most interesting among the standard ones may be the 3F00:7F10 
directory, named df_telecom, which contains service-related information, 
including user-created data such as SMS and last numbers dialed. The 3F00 : 7F20 
directory, named df_gsm, contains network-related information for GSM 900 MHz 
band operation (df_dcsi800 contains information for 1800 MHz band operation). 
The ICCID and IMSI mentioned previously can be found at 3FOO : 2 FE 2 , named 
EF_ICCID, and 3F00 : 7F20 : 6F07, named EFIMSI, respectively. The following table 
presents some of the well-known information that can be found inside the SIM card 
and their respective locations: 


Description 

Location 

SMS 

7F10 : 6F3C 

MSISDN 

7F10 : 6F40 

Last Dialed Numbers (LDN) 

7F10 : 6F44 

Abbreviated Dial Numbers (AND) 

7F10 : 6F3A 

IMSI 

7F10 : 6F07 


In the SIM, the access to each file (EF) is ruled by a certain number of privilege levels, 
which allow or deny certain actions according to the "role" the user has (which is 
given from the privilege). Some of the "useful" privileges are ALWays, chvi, and 
CHV 2 . Those are the privileges that allow the owner of the SIM card (or anyway 
the user who knows the codes) to access and modify the content of such files. For 
instance, any file that has one of these privileges related to the update command, 
allows those that know such codes (chvi/ CHV2) to modify the information inside 
that file. The following table summarizes the access conditions for the SIM cards: 


Level 

Access conditions 

0 

ALWays 

1 

CHVI 

2 

CHV2 

3 

Reserved for GSM future use 

4 to 14 

ADM 

15 

NEVer 
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SIM security 

Other than ICCID and IMSI, mainly related to the SIM itself, the other two important 
codes useful to know (actually, almost indispensable) when conducting an analysis 
are the PIN code and the PUK code. The PIN code is used to authenticate the user to 
the system, while the PUK code is used to unlock the SIM card after three incorrect 
attempts to insert the PIN code. Therefore, brute forcing the PIN is generally 
ineffective, because three failed PIN attempts will result in the SIM being locked. 

Fortunately, the SIM cards have a PUK and many network service providers (NSP) 
can provide, to law enforcements with a proper legal authorization signed by a judge 
(warrant), the PUK to get around the PIN or to access a locked SIM card. 

If an incorrect PUK code is inserted 10 times, the SIM will block itself permanently, 
making its content completely inaccessible. This is something to keep in mind before 
starting a brute force guessing against those two codes. 

Summary 

In this chapter, we gave a general introduction to digital forensics for those relatively 
new to this area of study and a good recap to those already into the field, keeping 
the specificity of the mobile forensics field in mind. We have seen what digital 
evidence is and how it should be handled, presenting several techniques to isolate 
the mobile device from the network. You should always remember the importance of 
documenting any action taken (chain of custody, final report, and so on) and to put 
in place the mechanisms to verify the integrity of the evidence (hash values). We also 
talked about the different acquisitions techniques for the iOS devices, anticipating 
some terms and technologies that will be covered in full detail in the next chapters 
of this book, from A to Z. Last but not least, we talked about the SIM card, how it is 
structured, and what type of useful information we can expect to find inside. 

In the next chapter, we will start focusing purely on the mobile forensics of Apple 
devices. In particular, you will have an introduction to the iOS devices, OS, and the 
file system. 
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Self-test questions 

1. What is the best option to isolate a mobile device before acquisition? 

1. Jammer 

2. Faraday's bag 

3. Airplane mode 

4. Switch off the device 

2. What is the most comprehensive acquisition method? 

1. Logical 

2. Advanced logical 

3. File system 

4. Physical 

3. How is the code that internationally and univocally identifies each SIM 
card called? 

1. IMSI 

2. ICCID 

3. PUK 

4. GSM 

4. How many PUK attempts do we have before the SIM card becomes 
completely inaccessible? 

1. 3 

2. 5 

3. 10 

4. 15 
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The purpose of this chapter is to introduce the basic aspects for the forensic analysis 
of an iOS device. In the first part, the different types and models of the Apple 
devices are shown, with an indication of the methodologies and techniques to 
accurately identify the model that you have to acquire. The second part analyzes the 
fundamental principles of the operating system (types, versions, and so on) and the 
type and structure of the file system used on these devices. 


iOS devices 

According to the commonly used definition, an iOS device is a device that uses the 
iOS operating system. Currently, we have four types of devices: iPhone, iPad, iPad 
mini, and iPod touch. 

iPhone 

The most famous iDevice is certainly the iPhone, which has caused a complete 
revolution in the concept of cellphones, being based on a multi-touch screen, 
a virtual keyboard, and few physical buttons (the Home, Volume, Power 
on/ off, and Ringer/ Vibration buttons). 
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iPhone (first model) 

The first model of the iPhone, known simply as iPhone, is equipped with a S5L8900 
ARM processor at 620 MHz (underclocked to 412 MHz), 128 MB of RAM, and it 
uses a cellular connection type quad band GSM/ GPRS/ EDGE (850/900/1800/1900 
MHz), as well as supporting Wi-Fi connectivity 802.11 b/ g and Bluetooth 2.0 + EDR 
(information on how Bluetooth is implemented is available at http : / /support . 
apple . com/kb/HT3647). The phone is identified by the model number A1203 and 
the hardware string iPhonel,l. With regards to the software, it originally used an 
ancestor of the iOS operating system, known as iPhone OS 1.0. The latest supported 
version is iPhone OS 3.1.3. 

iPhone 3G 

The second model produced by Apple, known as iPhone 3G, since it added support 
for the 3G cellular network, is equipped with a S5L8900 ARM processor and 128 MB 
of RAM. In addition to support for the 3G network (UMTS/HSDPA up to 3.6 Mbit/ s 
at 850, 1900, and 2100 MHz), the main innovation in the hardware was the presence 
of a GPS chip, which is used for geolocation services. The phone is identified by the 
model number A1241 (or A1324 for devices sold in China) and the string iPhonel,2. 
With regards to the software, it originally used iPhone OS 2.0. The latest supported 
version is iOS 4.2.1. 

iPhone 3GS 

The third model produced by Apple, known as iPhone 3GS, is equipped with a 
S5L8920 833 MHz ARM processor (underclocked to 600 MHz) and 256 MB of RAM. 
From the point of view of the forensic analysis, it is interesting to highlight that 
starting from this model, it is possible to geotag images, making it possible for an 
investigator to identify the place where a picture was taken. The phone is identified 
by the model number A1303 (or A1325 for devices sold in China) and the string 
iPhone2,l. With regards to the software, it originally used iPhone OS 3.0. The latest 
supported version is iOS 6.1.6. The production of these devices was discontinued in 
September 2012. 
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iPhone 4 

The fourth model produced by Apple is known as iPhone 4. It is a completely 
renewed device compared to the previous iPhone models, both in appearance and 
functionality. The device is more squared in its aesthetic form and presents several 
hardware improvements: an Apple A4 S5L8930 1 GHz processor (underclocked to 
800 MHz), 512 MB of RAM, a 5 MP camera with ability to shoot videos in HD (720p), 
and a 3-axis gyroscope. The phone is identified by three model numbers: A1332 
(GSM model) and A1349 (CDMA model) and by three strings iPhone3,l; iPhone3,2; 
and iPhone3,3. With regards to the software, it originally used iOS 4.0, which is the 
first version with the new name. The latest supported version is iOS 7.1.2. 


iPhone 4s 

The fifth model produced by Apple, known as iPhone 4s, is aesthetically very similar 
to iPhone 4, except for the presence of two cuts on the upper part of both sides. The 
new hardware consists of an Apple A5 S5L8940 1 GHz processor (underclocked 
to 800 MHz), 512 MB of RAM, support for HSPA+ up to 14.4 Mbit/ s, and an 8 MP 
rear camera with ability to shoot videos in HD (1080p). The phone is identified by 
the model number A1387 (or A1431 for devices distributed in China) and the string 
iPhone4,l. With regards to the software, it originally used iOS 5.0. Currently, iPhone 
4s is supported by the latest available version (iOS 8.1). 


iPhone 5 

The sixth model produced by Apple, known as iPhone 5, uses an Apple A6 S5L8950 
processor 1.3 GHz, 1 GB of RAM, and it supports HSPA+ and LTE cellular networks. 
It is also equipped with a 1.2 MP front camera for pictures and video up to 720p HD 
quality. It is the first device in the series with a 4" screen. The phone is identified 
by three model numbers: A1428 (GSM model), A1429 (GSM and CDMA model), 
and A1442 (CDMA model for China) and by two strings: iPhone5,l (USA version 
with LTE support) and iPhone5,2 (other countries). With regards to the software, 
it originally used iOS 6.0. Currently, iPhone 5 is supported by the latest available 
version (iOS 8.1). 
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iPhone 5c 

The seventh model produced by Apple, known as iPhone 5c, uses the same 
processor and the same amount of RAM as the iPhone 5 model, from which it differs 
in an LTE network support extended to the whole world and a more powerful 
battery. The phone is identified by five model numbers: A1526 (China), A1532 (North 
American model), A1456 (the U.S. and Japanese model), A1507 (Europe), and A1529 
(Asia and Oceania) and by two strings: iPhone5,3 and iPhone5,4. With regards to the 
software, it originally used iOS 7.0. Currently, iPhone 5c is supported by the latest 
available version (iOS 8.1). 


iPhone 5s 

The eighth model produced by Apple, known as iPhone 5s, uses an Apple A 7 
S5L8960 processor 1.3 GHz, 1 GB of RAM, and the biometric authentication system 
based on fingerprints, called Touch-ID. It also has a motion coprocessor Apple 
M7. The phone is identified by five model numbers: A1528 (China), A1533 (North 
American model), A1453 (the U.S. and Japanese model), A1457 (Europe), and A1530 
(Asia and Oceania) and by two strings: iPhone6,l and iPhone6,2. With regards to the 
software, it originally used iOS 7.0. Currently, iPhone 5s is supported by the latest 
available version (iOS 8.1). 


iPhone 6 

The ninth model produced by Apple, known as iPhone 6, uses an Apple A8 APL1011 
processor 1.38 GHz with 1 GB of RAM. It has also a motion coprocessor Apple M8. 
The phone is identified by two model numbers: A1549 (North America) and A1586 
(global) and by the string iPhone7,2. With regards to the software, it originally used 
iOS 8.0. Currently, iPhone 6 is supported by the latest available version (iOS 8.1). 


iPhone 6 Plus 

The tenth model produced by Apple, known as iPhone 6 Plus, uses an Apple A8 
APL1011 processor 1.38 GHz with 1 GB of RAM. It has also a motion coprocessor 
Apple M8. The phone is identified by two model numbers: A1522 (North America) 
and A1524 (global) and by the string iPhone7,l. With regards to the software, it 
originally used iOS 8.0. Currently, iPhone 6 Plus is supported by the latest available 
version (iOS 8.1). 
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iPad 

After the success of the iPhone, Apple carried out the project of designing and 
producing a larger version, which for the first time gave substance to Steve Jobs' 
idea in 1983: 

"Apple's strategy is really simple. Wlwt we want to do is we want to put an 
incredibly great computer in a book that you can carry around with you . " 

After the launch of the first iPad, Jobs said that Apple had begun to develop the iPad 
tablet before iPhone, but that had subsequently decided to concentrate its efforts in 
the development of iPhone. 

iPad (first model) 

The first model of iPad, known simply as iPad (or iPad first generation), is equipped 
with a 1 GHz S5L8930 ARM processor (known as the Apple A4) and 256 MB of 
RAM. As with all the iPad device family, there are two distinct versions: the first one 
is equipped only with Wi-Fi 802.11 a/b/ g/n connection, while the second one is also 
equipped with 3G UMTS/ HSDPA/ EDGE and a GPS. The two models are identified 
by model number A1219 (Wi-Fi only) and A1337 (Wi-Fi and 3G), while both models 
are characterized by the string iPadl,l. From a software point of view, it originally 
used the iPhone OS 3.2. The latest supported version is iOS 5.1.1. 


iPad 2 

The second model of iPad, known as iPad 2, is equipped with a 1 GHz S5L8940 ARM 
processor (known as Apple A5) and 512 MB of RAM. Compared to the previous 
version, Apple introduced a front and a rear camera of 0.75 MP. It was produced in 
three models: Wi-Fi only (model number A1395), Wi-Fi and GSM (model number 
A1396), and Wi-Fi and CDMA (model number A1397). There are four hardware 
strings: iPad2,l (Wi-Fi only); iPad2,2 (Wi-Fi and GSM); iPad2,3 (CDMA and Wi-Fi); 
and iPad2,4 (Wi-Fi only with S5L8942 processor, known as A5 Rev A). With regards 
to the software, it originally used iOS 4.3. Currently, it is still supported by the latest 
version available (iOS 8.1). 
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iPad 3 (the new iPad) 

The third model of iPad, known as iPad 3 (or the new iPad), is equipped with a 1 
GHz S5L8945 ARM processor (known as Apple A5X) and 1 GB of RAM memory. It 
was produced in three models: Wi-Fi only (model number A1416), Wi-Fi and cellular 
(VZ) (model number A1403), and cellular and Wi-Fi (model number A1430). There are 
three hardware strings of identification: iPad3,l (Wi-Fi only); iPad3,2 (Wi-Fi, GSM, and 
CDMA); and iPad3,3 (Wi-Fi and GSM). With regards to the software, it originally used 
iOS 5.1. Currently, it is still supported by the latest version available (iOS 8.1). 

iPad 4 (with Retina display) 

The fourth model of iPad, known as iPad 4 (or iPad with Retina display), is equipped 
with a 1.4 GHz S5L8955 ARM processor (known as Apple A6X) and 1 GB of RAM. It 
was produced in three models: Wi-Fi only (model number A1458), Wi-Fi and cellular 
(MM) (model number A1460), and cellular and Wi-Fi (model number A1459). There 
are three hardware strings of identification: iPad3,4 (Wi-Fi only); iPad3,5 (Wi-Fi 
and GSM); and iPad 3,6 (Wi-Fi, GSM, and CDMA). With regards to the software, it 
originally used iOS 6.0.1. Currently, it is still supported by the latest version available 
(iOS 8.1). 

iPad Air 

The fifth model of iPad, known as iPad Air, is equipped with a 1.4 GHz S5L8965 
ARM processor (known as Apple A7) and 1 GB of RAM memory. It was produced 
in two models: Wi-Fi only (model number A1474) and cellular and Wi-Fi (model 
number A1475). There are two hardware strings of identification: iPad4,l (Wi-Fi 
only) and iPad4,2 (Wi-Fi and cellular). With regards to the software, it originally 
used iOS 7.0.3. Currently, it is still supported by the latest version available (iOS 8.1). 


iPad mini 

The first model of iPad mini, a smaller version of the iPad, is known simply as iPad 
mini. It is equipped with a 1 GHz S5L8942 ARM processor (known as the Apple A5 
Rev A) and 512 MB of RAM. It was produced in three models: Wi-Fi only (model 
number A1432); Wi-Fi and GSM (model number A1454); and Wi-Fi, GSM and 
CDMA (model number A1455). There are three hardware strings of identification: 
iPad2,5 (Wi-Fi only); iPad2,6 (Wi-Fi and GSM); and iPad2,7 (Wi-Fi, GSM, and 
CDMA). With regards to the software, it originally used iOS 6.0.1. It is currently still 
supported by the latest version available at the time of writing the book (iOS 8.1). 


[ 28 ] 



Chapter 2 


iPad mini second generation 

The second model of iPad mini, known as iPad mini second generation (or iPad 
mini with Retina display), is equipped with a 1.3 GHz S5L8960 ARM processor 
(known as Apple A 7) and 1 GB of RAM. Compared to its predecessor, it uses a 
Retina screen and an Apple M 7 motion coprocessor. It was produced in two models: 
Wi-Fi only (model number A1489), and Wi-Fi and cellular (model number A1490). 
There are three hardware strings of identification: iPad4,4 (Wi-Fi only); iPad4,5; and 
iPad4,6 (Wi-Fi and cellular). With regards to the software, it originally used iOS 7.0.3. 
It is currently still supported by the latest version available (iOS 8.1). 

iPad mini third generation 

The third model of iPad mini, known as iPad mini third generation, is equipped 
with a 1.3 GHz S5L8960 ARM processor (known as Apple A7) and 1 GB of RAM. 
Compared to its predecessor, it uses a Retina screen and an Apple M7 motion 
coprocessor. It was produced in three models: Wi-Fi only (model number A1599), 
Wi-Fi, and cellular (model number A1600 and A1601). There are three hardware 
strings of identification: iPad4,7 (Wi-Fi only); iPad4,8; and iPad4,9 (Wi-Fi and 
cellular). With regards to the software, it originally used iOS 8.0. It is currently still 
supported by the latest version available (iOS 8.1). 

iPod touch 

The iPod touch device is a media player that looks like the iPhone and uses the iOS 
operating system. It can play media and video games. It includes a Wi-Fi connection 
so that it can access the Internet with the mobile version of Safari, purchase songs 
online from the iTunes Store, and download apps from the App Store. 

iPod touch (first model) 

The first model of iPod touch, known simply as iPod touch, is equipped with a 
620 MHz S5L8900 ARM processor and 128 MB of RAM memory. It is identified by 
the model number A1213 and by the hardware string iPodl,l. With regards to the 
software, it originally used iPhone OS 1.1. The latest supported version is iPhone 
OS 3.1.3. 
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iPod touch (second generation) 

The second model of iPod touch, known as iPod touch (second generation), is 
equipped with a 620 MHz S5L8720 ARM processor and 128 MB of RAM memory. It 
is identified by the model number A1288 and by the hardware string iPod2,l. With 
regards to the software, it originally used iPhone OS 2.1.1. The latest supported 
version is iOS 4.2.1. 

iPod touch (third generation) 

The third model of iPod touch, known as iPod touch (third generation), is equipped 
with an 833 MHz S5L8920 ARM processor and 256 MB of RAM memory. It is 
identified by the model number A1318 and by the hardware string iPod3,l. With 
regards to the software, it originally used iPhone OS 3.1. The latest supported 
version is iOS 5.1.1. 

iPod touch (fourth generation) 

The fourth model of iPod touch, known as iPod touch (fourth generation), is 
equipped with a 1 GHz S5L8930 ARM processor (known as Apple A4) and 256 MB 
of RAM memory. It is identified by the model number A1367 and by the hardware 
string iPod4,l. With regards to the software, it originally used iOS 4.1. The latest 
supported version is iOS 6.1.6. 

iPod touch (fifth generation) 

The fifth model of iPod touch, known as iPod touch (fifth generation), is equipped 
with a 1 GHz S5L8942 ARM processor (known as Apple A5) and 512 MB of RAM 
memory. It is identified by the model number A1421 or A1509 and by the hardware 
string iPod5,l. With regards to the software, it originally used iOS 6.0. It is currently 
still supported by the latest version available (iOS 8.0). 


iOS devices matrix 

Some useful information about the iOS devices can be found at the following links: 

• iOS models (http : / / theiphonewiki . com/wiki/Models): This page 
contains detailed tables with device name, device model, FCC-ID, internal 
name, and hardware identifier 

• Application Processor (http : / / theiphonewiki . com/wiki/Application_ 
Processor): This page contains a detailed processor list installed on the 
iOS devices 
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• iPhone (http : / /theiphonewiki . com/wiki/IPhone): This page contains a 
detailed table with all the features and characteristics for every iPhone model 

• iPad (http : / / theiphonewiki . com/wiki/IPad): This page contains a 
detailed table with all the features and characteristics for every iPad model 

• iPod touch (http : / /theiphonewiki . com/wiki/IPod_touch): This page 
contains a detailed table with all the features and characteristics for every 
iPod touch model 

• iOS Support Matrix (http://iossupportmatrix.com/): This page contains 
a visual representation of all the iDevice models with their hardware and 
software features and support 

• iPhone IMEI (http : //iphoneimei . info/): This page contains a search 
engine to find the specific iPhone model from the IMEI number 

• IMEI.info (http : //www. imei . info/): This link is similar to the 
preceding link 

• iPhoneox (http : / /www. iphoneox.com/): This link is similar to the 
preceding link 

iOS operating system 

All the devices described in this chapter have in common the use of the iOS 
operating system. Originally known as iPhone OS up to Version 3, it was developed 
by Apple specifically for iPhone, iPad, and iPod touch. It was unveiled for the first 
time in January 2007 and was introduced with the first model of iPhone in June of 
the same year. 

iOS is an operating system, based on the older forefather Mac OS X, a derivative 
of BSD Unix with a Mach kernel XNU based on Darwin OS. It uses four levels 
of abstraction: 

• Core OS: This level consists of file system, memory management, security, 
power management, TCP/IP, sockets, and encryption 

• Core services: This level consists of networking, SQLite, geolocation, 
and threads 

• Media: This level consists of OpenAL, audio, image, video, and OpenGL 

• Cocoa touch: This level consists of core animation, multitasking, and 
gesture recognizer 
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The main screen, known as SpringBoard, is divided into three parts: 

• The top bar that displays the telephone signal, any 3G/Wi-Fi/Bluetooth 
active connections, and the battery status 

• The central part containing the icons of the applications in your device 

• The bar at the bottom containing the most frequently-used applications 

0 iPhone: Phone, Mail, Safari, Music 
0 iPad/ iPod touch: Messages, Mail, Safari, Music 

The home screen appears whenever the user unlocks the device or presses the Home 
button while in another app. 

The complete list of all the operating system versions produced by Apple is published 
and frequently updated at http : // theiphonewiki . com/ wiki /Firmware. At 
http : / /www . ipswdownloader . com/, it is possible to download all firmware for 
all models. 


iDevice identification 

It is very useful for a forensic investigator to be able to recognize the specific 
model of an iOS device while conducting a search and seizure or prior to an 
acquisition activity. 

The recognition phase can be performed in four ways: 

• Identifying the shape of the device and the connector used 

• Checking the model number printed on the back of the device 

• Connecting the device to a laptop and directly communicating with it 

• Directly through the OS by tapping on Settings | General | About 

The first method can be used by practicing the identification of the unique 
characteristics of each model. In some cases, it may be a complex assessment 
and it is therefore advisable to confirm the first evaluation with one of the other 
three methods. 
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The second method requires you to identify, on the back of the device, the model 
number. As reported in the previous tables from the model number, it is easy to 
identify the type of device. In the example shown in the following screenshot, it is 
possible to identify the model as an A1303 or an iPhone 3GS with 16 GB memory: 



The third method is to retrieve the information directly, interacting with the device 
connected to a computer. As we will explore later on, once you turn on an iDevice, 
it can be password-protected and present a view to insert the lock code. Regardless 
of the knowledge of the code or the ability to overcome it or violate it, the device can 
communicate some information when connected to a computer. 

Very useful in this context is the collection of tools and libraries available at http : / / 
www. libimobiledevice . org/ and preinstalled in the Linux distributions Santoku 
(https : / / santoku- linux. com/) and DEFT 8.1 (http : / /www . def tlinux . net). 

Using the ideviceinf o command, it is possible to extract some information from the 
device, with no need to unlock it. 

The information that can be extracted is as follows: 

• Device name 

• Device class 

• Hardware model 

• iOS version 

• Telephony capability 

• Unique device ID 

• Wi-Fi MAC address 
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In the example shown in the following screenshot, it is possible to identify that the 
connected device is a Wi-Fi only iPad mini 1 (hardware model P105AP) with OS 6.1.2 
(build 10B146) called "iPad di Mattia": 


■ santoku@santoku: ~ - + x 

File Edit Tabs Help 


santoku@santoku:~$ ideviceinfo -s 

ActivationPublicKey : LS0tLSlCRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCklJR0pBb0dCQUxGN3IlcFE2ekpNdllCWllRTjVLNjY5allQZnJrR2R 
oMXo5cHFjdmZnTXBZYTVIVWJUMnBrSFgKdFFZUU0ydlAzblZtN2JqNFhTQXVlaFpWa01zTGpwNDRoSnFLcGQ4RGFvMTUzZjBkMFNpVHh0TGNCblY3VUI 
rcwoyNWpmck5Rc25JdStsK0ZRSldUckdNMmpldzBhVXFIU0haL2xCRDFQSnpOUlkwVEtpLzlOQWdNQkFBRT0KLS0tl_SlFTkQgUlNBIFBVQkxJQyBLRVk 
tLS0tLQo= 

Boardld: 10 
BuildVersion: 10B146 
ChipID: 35138 
DeviceClass: iPad 
DeviceName: iPad di Mattia 

DevicePublicKey : LS0tLSlCRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCklJR0pBb0dCQUtwWlV6SzdZWko4bVlWVj VzTGpJUEtlQ3J4L295d0NEY2w 
zWGpNOFY5N2l3NHBmY282ci9VeCsKanNPOWVSSWVaZmR6UmZYKy9kYlFyZlNjanlQQTBqZ0tV\/Wl6UytPblM3R28yTUJ4MUFlUlNaMHNEZE94b2xvNwp 
BSnhwVVBtUllodlVaNDhrYUdVS21aVmZDYUpCNVpRclRyNnFBZVJoeEpGVk4xK0tPRjg3OWdNOkFBRT0KLS0tLSlFTkOgUlNBIFBVOkxJQyBLRVktLS0 
tL0o= 

DielD: 3609108662014788576 
HardwareModel: P105AP 
PartitionType: 

ProductVersion: 6.1.2 
ProductionSOC: true 
ProtocolVersion: 2 
TelephonyCapability: false 
UniqueChipID: 1823148166600 

UniqueDevicelD : 08399bf 9b65bc55e2783776b559c02dc90bd65ef 
WiFiAddress: e0:f5:c6:31:02:54 
santoku@santoku:~$ | 


* 


iOS file system 

All the iDevices use HFSX as their file system, a variant case of HFS+. Within the same 
folder, then, it is possible to store two or more files with the same name, but different 
from the case of each individual character (for example, ios .jpg and ios .jpg). 
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The HFS+ file system 

HFS Plus (or HFS+) is the file system developed by Apple to replace, from Mac 
OS 8.1, HFS as the default file system for Mac computers. In Apple's official 
documentation, it is called Mac OS Extended. 

HFS+ is an improved version of HFS, which allows the user to support larger files 
(thanks to block addresses of 32 bits instead of 16 bits) and uses Unicode for the 
names of file system objects (files and folders), thus allowing up to 255 characters 
for each. Until Mac OS X Tiger, HFS+ only supported Unix file system privileges to 
access the file. The Tiger version introduced support for security checks based on 
Access Control List (ACL), typical of Microsoft environments. 

The HFS+ volumes are allocation blocks that may contain one or more sectors 
(typically 512 bytes in a hard drive). The number of allocation blocks depends on the 
total size of the volume. The HFS+ file system uses 32 bits to address the allocation 
blocks, thus allowing access to 232 blocks (4,294,967,296). 

A typical HFS+ volume is defined by the following six major data structures that 
contain the information needed to manage the data volume: 

• Volume Header File: This file defines the basic structure of the volume, as 
the size of each allocation block, the number of used and free blocks, and the 
size and position of the other special files 

• Allocation File: This file includes a bitmap with the used and unused 
blocks within a volume 

• Catalog File: This file defines the structure of the directories in the file 
system and it is used to identify the location of a specific file or folder 

• Extents Overflow File: This file contains pointers to additional extents for 
files that require more than eight contiguous allocation blocks 

• Attributes File: This file contains the customizable attributes of a file 

• startup File: This file contains the information required at system boot 
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The data structure can be represented as follows: 


Reserved (1024 bytes) 

Volume Header 


Allocation File 


Extents Overflow File 


Catalog File 


Attributes File 


Startup File 


Alternate Volume Header 

Reserved (512 bytes) 


Both the special and user file are stored in forks or in a set of allocation blocks. The 
space is usually allocated in clumps, where the size of a clump is a multiple of the 
size of a block. The contiguous allocation blocks for a given file are grouped into 
extents. Each extent is characterized by a starting allocation block and by the number 
of blocks, which indicates how many blocks contain data from that specific file. 

In the boot blocks and startup files, the first 1024 bytes of a volume are reserved as 
boot blocks and may contain information requested during the startup of the system. 
Alternatively, boot information can be found within the startup file, which allows 
you to store a greater amount of information. 

A volume header file, a 512 byte data structure, contains the volume information, 
including the location of other data structures. It is always located at the beginning 
of the block 2 or 1024 bytes after the beginning of the volume. A copy of the volume 
header file, called the alternate volume header, is 1024 bytes before the end of the 
volume. The first 1024 bytes and the last 512 bytes of the volume are reserved. 
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The information contained in a volume header file is as follows: 


Field name 

Size 

Description 

signature 

2 bytes 

This field implies the volume signature, which 
must be 1 H+ 1 , if the volume is HSF Plus, and 

1 HX 1 , if the volume is HFSX. 

version 

2 bytes 

This field implies the format version, which is ' 4 ' 
for HFS Plus and ' 5 1 for HFSX. 

attributes 

4 bytes 

This field implies the volume attributes (for 
example, journaling active). 

lastMountedVersion 

4 bytes 

This field describes the operating system installed. 

j ournallnf oBlock 

4 bytes 

This field is the allocation block that manages 
the journaling. 

createDate 

4 bytes 

This field implies the volume creation date. 

modifyDate 

4 bytes 

This field implies the volume last modified date. 

backupDate 

4 bytes 

This field implies the volume last backup. 

checkedDate 

4 bytes 

This field implies the volume last consistency check 
date. 

f ileCount 

4 bytes 

This field implies the number of file in the volume, 
without the special files. 

f olderCount 

4 bytes 

This field implies the number of folders in the 
volume, without the root folder. 

blockSize 

4 bytes 

This field implies the allocation block size (bytes). 

totalBlocks 

4 bytes 

This field implies the total number of allocation 
blocks. 

f reeBlocks 

4 bytes 

This field implies the number of available 
allocation blocks. 

nextAl location 

4 bytes 

This field implies the address of the next available 
allocation block. 

rsrcClumpSize 

4 bytes 

This field implies the default clump size for a 
resource fork. 

dataClumpSize 

4 bytes 

This field implies the default clump size for a 
data fork. 
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Field name 

Size 

Description 

next Cat alogID 

4 bytes 

This field implies the first available CatalogID. 

writeCount 

4 bytes 

This field implies the number of times the volume 
has been mounted. 

encondingsBitmap 

8 bytes 

This bitmap describes the encoding used for file 
and folder name. 

f inderlnf o 

32 bytes 

This field implies the information used by the Mac 
OS Finder and the system software boot process. 

allocationFile 

80 bytes 

This field implies the location and the size of File 
Allocation. 

extentsFile 

80 bytes 

This field implies the location and the size of the 
extents file. 

catalogFile 

80 bytes 

This field implies the location and the size of the 
catalog file. 

attributesFile 

80 bytes 

This field implies the location and the size of the 
attributes file. 

startupFile 

80 bytes 

This field implies the location and the size of the 
startup file. 


The allocation (bitmap) file is used to keep track of which allocation blocks on 
a volume are currently allocated to a structure (file or folder). It is a bitmap that 
contains one bit for each allocation block in the volume. If a bit is 1, the corresponding 
allocation block is in use. If the bit is 0, the corresponding allocation block is not 
currently in use and is therefore available to be assigned to a file or folder. 

The catalog file is used to keep the information on the hierarchy of files and folders 
on HFS+. A catalog file is organized as a binary tree (type B-Tree) and therefore 
consists of head node, index nodes, and leaf nodes. The position of the first block of 
the catalog file (and thus the head node of the file) is stored in the volume header 
file. The catalog file contains the metadata of all the files and folders on a volume, 
including creation, modification and access date, permissions, file identifier, and 
information about the user that created the file. 
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The data structure for each file in the catalog file is as follows: 


struct HFSPlusCatalogFile { 


SIntl6 

recordType ; 

UIntl6 

flags ; 

UInt32 

reservedl ; 

HFSCatalogNodelD 

f ilelD; 

UInt32 

createDate ; 

UInt32 

contentModDate ; 

UInt32 

attributeModDate ; 

UInt32 

accessDate ; 

UInt32 

backupDate ; 

HFSPlusBSDInf o 

permissions ; 

Filelnf o 

userlnf o ; 

ExtendedFilelnf o 

f inderlnfo; 

UInt32 

textEncoding; 

UInt32 

reserved2 ; 

HFSPlusForkData 

dataFork; 

HFSPlusForkData 

resourceFork; 


} ; 


The two areas of most interest to identify the location of the files are dataFork and 
resourceFork (both of the type HFSPlusForkData). 

The dataFork field contains information about the location and size of a file or the 
current contents of the file, while the resourceFork field contains the application 
metadata of the file. 

The HFSPlusForkData data structure is defined by four fields as follows: 

struct HFSPlusForkData { 

UInt64 logicalSize; 

UInt32 clumpSize; 

UInt32 totalBlocks; 

HFSPlusExtentRecord extents; 

} ; 
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The logicalSize field defines the size in bytes of the data, the totalBlocks field 
defines the number of blocks allocated, the extents field stores the first eight extents 
of a file descriptor (an extent is a contiguous segment of a file). If a file requires a 
greater number of descriptor extents, these are stored in the extents overflow file. 
Each extent that composes a file is described in the HFSPlusExtentDescriptor data 
structure and is defined by the two fields as follows: 

struct HFSPlusExtentDescriptor { 

UInt32 startBlock; 

UInt32 blockCount; 

} ; 


The startBlock field identifies the first allocation block in an extent while the 
blockCount field identifies the length in number of allocation blocks of an extent. 
The start offset of a file can then be determined by finding the first extent and 
multiplying the corresponding startBlock field to the size of the allocation 
block, which is defined in the volume header file. Since the files cannot always be 
completely stored in contiguous blocks on the disk and may be fragmented, HFS + 
dataFork defines a structure that holds up to eight extents. When a file requires 
more than eight extents, it uses the extents overflow file, which combines the file 
with additional extents. 

For the extents overflow file, if a file in an HFS+ volume is composed by more 
than eight extents (or is fragmented over more than eight contiguous positions of 
the volume), the extents in excess will be stored in the extents overflow file. The 
file structure is similar to the content file (binary tree, B-Tree); however, it's greatly 
simplified by the presence of a single data structure (HFSPlusExtentKey). 

The attributes file enables the direct management through the file system of 
additional attributes for a file. The attributes are defined as key/ value pairs. 

An interesting concept associated with HFS+ is the file system journaling used 
for a recovery process after a volume was not safely unmounted. This file stores 
file transactions (create, delete, modify, and so on) and might contain the same 
metadata stored in the attributes or in the catalog file. It is activated by default 
on the iOS devices and can be used to recover deleted content. 

Device partitions 

iDevices use a NAND type memory divided into two partitions: the system or 
firmware partition, and the data partition. 
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The system partition contains the iOS operating system and all the preinstalled 
applications and it is identified as /dev/diskOsl or /dev/diskOslsl. This partition 
is not generally accessible to the user in the write mode and may only be modified 
by an update of the operating system. Since it cannot contain user-installed 
applications and data, it is small (1-2 GB depending on the specific model). 

The data partition occupies most of the space in the NAND memory and is 
identified as /dev/disk0s2 or /dev/disk0s2s2. The partition contains user data 
and user-installed applications and is mounted at run time by the operating system 
inside /private/var. 

System partition 

If the device is in a normal condition, all information relevant to an investigation 
is within the partition containing user data. The system partition is therefore 
not usually of interest. A complete description of the folder content is available 
at http : //theiphonewiki . com/wiki/ and the partition will look like the 
following screenshot: 


FI iQl system dmg 

[=] lnnsbnjckTaos11B554a.P105OS [HFSX] 
h £| [unallocated space] 

(El Q lnnsbruckTaos11B554a.P105OS 
ha HFS+ Private Data 
a .HFS+ Private Directory Data 
ha .Trashes 
ha .fseventsd 
j~a Developer 
[iHtD Library 
$a System 
lilfrTl bin 
ha boot 
j»a cores 
j~ Q dev 

ha lib 

j~ a riint 
(Tl irA private 
|j a sbin 
El a usr 
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It should be noted, however, that /private/etc/passwd (shown in the following 
screenshot) contains the password of the users configured on the device (mobile 
and root): 


l-Q mnt 

S 'i£) private 

networks 

53 B 

File 

11/08/2013 00:39 

l~*l notify.conf 

192 B 

VMware DHC... 

11/08/2013 00:35 

I a-Q etc 

passwd 

728 B 

File 

11/08/2013 00:39 

[fl-Ptl var 

profile 

219 B 

File 

01/02/1970 04:25 

i+i-Pfl sbin 

| .protocols 

5 KB 

File 

11/08/2013 00:39 


For all iDevices, the default password for the mobile and root users is alpine. 
This password cannot be modified by the user, unless they are performing the 
jailbreaking operations, as shown in the following screenshot: 


## 

# User Database 

# 

# This file is the authoritative user database. 

## 

nobody: * : -2 : -2 : Unprivileged User: /var/empty: /usr/bin/ false 
root : / smx7MYTQIi2M : 0 : 0 : System Administrator : /var/ root : /bin/sh 
mobile : /smx7MYTQIi2M: 501:501 : Mobile User : / var /mobile : /bin/sh 


Data partition 

The structure of the data partition has changed over the different evolutions of the 
operating system. The following screenshot shows an example of the folder structure 
extracted from a jailbroken iPad mini 1G running iOS 7.0.4: 
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The useful elements for the analysis of an iDevice will be discussed in Chapter 4, 
Analyzing iOS Devices. It is considered useful to point out that the iDevice devices 
use the Property List and SQLite databases as data and configuration containers. 
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The property list file 

The property list files (also known as plist) are used by Apple for the 
management of the configuration of the operating system and key applications. 
Typically, these are simple text files formatted in XML. In most cases, a plist file 
contains the text strings and Boolean values; in some cases, it can contain data 
encoded in the binary format, as shown in the following screenshot. Although they 
can be easily analyzed using a simple text editor, it is more convenient to browse the 
hierarchical structure through a dedicated reader. 


WOO Ql foo. plist 
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In the Mac environment, it is possible to install the freeware tool Property List 
Editor developed by Apple. It can be downloaded from the website of the XCode 
development platform (https : / /developer . apple . com/xcode/). 

In a Windows environment, we can use plist Editor for Windows (http : //www. 
icopybot . com/plist-editor . htm). 
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SQLite database 

The iOS devices use SQLite databases to store information and user data. The 
analysis of these files requires a minimum knowledge of the SQL commands for the 
selection of data; however, there are several free software options that can interpret 
and easily display the data in a database. An example of cross-platform software 
is SQLite Database Browser (http : //sqlitebrowser . org/), which allows us to 
visualize the structure of the database and to navigate within the data, as shown in 
the following screenshot: 



In a Windows environment, it is also advisable to use the software SQLite 
Expert (available in both personal and commercial licenses at http : //www. 
sqliteexpert . com/). 
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Summary 

This chapter illustrated the features of interest for iOS devices during mobile 
forensic activities. In particular, it introduced the different models with guidance 
on recognition techniques based on the model number or hardware model number. 
It also contained an introduction to the iOS operating system with particular 
reference to the file system (HFSX), the partitions (system and data), and the main 
data structures (property list files and SQLite database). These topics are the 
basics for forensic activity on an iDevice and will be used in the next chapters when 
dealing with acquisition and analysis. 

Self-test questions 

1. What is the latest supported version of iOS for iPhone 4? 

1. iOS 5.1.1 

2. iOS 6.1.2 

3. iOS 7.1.2 

4. iOS 8.1.2 

2. Which are the model numbers associated with iPhone 6? 

1. A1522 and A1524 

2. A1549 and A1586 

3. A1528 and A1530 

4. A1428 and A1429 

3. What file system does iOS use? 

1. NTFS 

2. EXT3 

3. HFS+ 

4. HFSX 

4. What metafile is used to keep information on files and folders in 
iOS file system? 

1. Volume Header 

2. Allocation 

3. Catalog 

4. Extent 
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5. What is the default root user password? 

1. apple 

2. iphone 

3. leopard 

4. alpine 

6. What kind of file is mostly used to keep iOS configuration? 

1. Text 

2. Json 

3. Plist 

4. HTML 
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from i Devices 


The purpose of this chapter is to introduce techniques and tools used for the 
acquisition of data from an iDevice. In the first part of the chapter, the boot process, 
the data security features, and the encryption used by Apple are shown. The second 
part deals with the different acquisition methods (direct, backup/ logical, advanced 
logical, and physical), providing a description of state-of-the-art techniques for 
the cracking of the lock code or the overcoming of it. Finally, in the last part, we 
introduce the concept of jailbreaking, which is useful for physical acquisition of 
the latest devices. 

iOS boot process and operating modes 

The boot process for an iOS device is composed of three steps: Low Level Bootloader 
(LLB), iBoot, and iOS kernel. To guarantee the integrity of the different components, 
all the steps involved in the boot process are signed. The signature for LLB is 
verified by the Apple Root CS public key, contained in the Boot ROM code. Then, 
LLB verifies and executes iBoot, which then verifies and executes the iOS kernel. In 
this way, it is ensured that all the components are signed by Apple. There are a lot 
of studies, papers, and books related to the iOS boot process and how to overcome 
the protections implemented by Apple (you can find all the details in Appendix A, 
References). We suggest reading the latest version of the Apple paper, iOS Security, 
Apple, October 2014. 
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From the point of view of a forensic analyst, it is important to know that iDevices can 
operate in the following three different ways: 

• Normal: This mode is the traditional iOS user interface. 

• Recovery: This mode is used to perform activation and upgrades on an 
iDevice. It can be activated by holding down the Home button on a powered 
off device and connecting it to a computer via the USB cable. 

• Device Firmware Upgrade (DFU): This mode is used by an iDevice during 
the iOS upgrades and when one of the processes in verification boot chain 
fails. It can be activated by holding down the Home and the Power button 
together (with the device powered on or off) for 10 seconds, and then it is 
necessary to release the Power button and hold the Home button for 10 
seconds more. 

Both Recovery and DFU modes are really useful for the physical acquisition of 
iDevices, as we will show in the dedicated section. 

iOS data security 

A complete description of iOS data security is out of the scope of this book, but we 
wish to give you just an overview (taken from the Apple paper iOS Security and from 
Christian D'Orazio's thesis, see Appendix A, References) of hardware and software 
security features. 

Hardware security features 

Every iDevice, starting from iPhone 3GS, has a dedicated AES 256-bit crypto engine 
built in between the flash storage and the main system memory. The purposes of this 
processor are to accelerate the encryption and decryption operations and to protect 
user data so that they remain encrypted on the device's flash memory. A unique ID 
(UID) is associated with each device and allows data to be cryptographically tied to 
a particular device. The UID cannot be read directly and it is used as AES 256-bit key 
to generate encryption keys that protect user data. These encryption keys, known 
as EMF and Dkey (Class D Key) are stored in a specific area of the flash memory, 
called PLOG block (or Effaceable Storage). When the device deletes this area it 
makes the whole volume unreadable and the content is completely and definitely 
encrypted with no way to recover it. 
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File data protection 

As described by Apple in their paper, iOS Security (see Appendix A, References ): 

"In addition to the hardware encryption features built into iOS devices, Apple uses 
a technology called Data Protection to further protect data stored in flash memory 
on the device . " 

Apple implements an encrypted HFS+ volume, in which each file is assigned to a 
class, depending on the type of data and security level required. The paper states that: 

" Every time a file on the data partition is created, Data Protection creates a new 
256-bit key (the "per-file" key) and gives it to the hardware AES engine, which uses 
the key to encrypt the file as it is written to flash memory using AES CBC mode." 

The per-file key is then wrapped with the key of the class to which the file belongs. 
The wrapped per-file key is stored in the cprotect attribute, which is part of the 
file's metadata contained in the Attributes file. The paper states that: 

"\Mhen a file is opened, its metadata is decrypted with the file system key, revealing 
the wrapped per-file key and a notation on which class protects it. Tlie per-file key 
is unwrapped with the class key, then supplied to the hardware AES engine, which 
decrypts the file as it is read from flash memory." 

It is important to note that the file system key can be erased and in that case the 
content of every file becomes definitely unreadable. There are four basic classes that 
use different policies to determine when file content is accessible and where the 
class keys are stored. With the exception of the Dkey, all class keys are stored in the 
system Keybag, which is a file that contains master keys for each one of the classes 
available, as shown in the following screenshot: 
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Class D offers the lowest security level because the Dkey is not derived from the 
passcode but wrapped in the PLOG area with a value (Key0x835) that can be 
retrieved by communicating with the kernel. From a forensics point of view, it 
is important to note that all the files created by a native iOS application, except 
e-mail messages and related attachments, belong to Class D. It means that all the 
cryptographic keys required to decrypt a file can be retrieved without knowing or 
cracking the passcode. 

Unique device identifier 

Every single iDevice produced is identified by a Unique Device ID (UDID). As well 
explained in The iPhone Wiki (http : //theiphonewiki . com/wiki/UDlD), it can be 
calculated as the SHA-1 hash of a particular 60- or 59-character long string that can 
be obtained as follows: 

• An 11-character or 12-character long (on newer devices) serial number 
(exactly like it is written in the Settings app). 

• A 15-character long IMEI number without spaces (on older devices), empty 
string for iPod touch, and the Wi-Fi model iPad devices, or a 13-character 
ECID in decimal with no leading zeroes (on newer devices). 

The ECID is the Electronic Chip ID. For more information, refer to 
https : / /theiphonewiki . com/wiki/ECID. 

• A 17-character long Wi-Fi MAC address (letters in lowercase, including 
colons). For the iPod touch first generation, use 00 : 00 : 00 : 00 : 00 : 00 . 

• A 17-character long Bluetooth MAC address (letters in lowercase, 
including colons). 

Case study - UDID calculation on iPhone 4s 

On iPhone 4s, the UDID is calculated as follows: 


SHA1 (serial number + ECID converted to decimal + Wi-Fi MAC address 
+ Bluetooth MAC address) 
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If the device is unlocked, the serial number, Wi-Fi MAC address, and Bluetooth can 
be obtained by tapping Settings | General | About on the device's main screen, as 
shown in the following screenshot: 


Serial Number 

DNRJ9Z9SDTC0 

Wi-Fi Address 

84:FC:FE:D3:AC:E2 

Bluetooth 

84:FC:FE:D3:AC:8D 


The ECID can be obtained as follows: 

1. Put the device in Recovery mode. 

2. Open Windows Device Manager, go to Universal Serial Bus controllers | 
Apple Mobile Device USB Driver, right-click on it and select Properties. 

3. Click on Details, search and select Device Instance Path in the drop-down 
menu, and copy the text to a text file. 

4. On a Mac OS X, navigate to System Information | System Report and look 
in the USB entry under Hardware. 


Apple Mobile Device USB Driver 


Proprieta 


Perconso istanza dispositivo 


Valore 

BDID:08_ECID:0000032CD418838BJBFL1B_SRNM:[DNRJ9Z9SDTCO] 


In this example we have the following entries: 

• Serial number: DNRJ9Z9SDTC0 

• ECID: 0 000 0 032CD41883 8B 

• Wi-Fi MAC address: 84 : FC : CE : D3 : AC : E2 

• Bluetooth MAC address: 84 : FC : CE :D3 : AC : 8D 

Before calculating the UDID, we need to convert the hex value for ECID to a decimal 
number, so 32CD418838B corresponds to 3491071820683. 
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The UDID can be calculated as follows: 

SHAl (DNRJ9Z9SDTC034 9107182 06 83 84 : f c : f e : d3 : ac : e2 84 : f c : f e : d3 : ac : 8d) = 

26ccdbcb74b2ab8e9e97aa096883al0442c6f 2ef 

The calculated value can be verified using iTunes, after connecting the device to the 
computer, as shown in the following screenshot: 


iPhone 4S 



EpiPhone 

1 16GB I [*n > 78% 

Capacity: 13.30 GB 
Phone Number: +39 334 2340899 
UDID: 26CCDBCB74B2AB8E9E97AA09688 
3A10442C6F2EF 


iOS 7.1.1 

Your iPhone software is up to date. iTunes will automatically 
check for an update again on 6/29/2014. 

Check for Update Restore iPhone... 


Otherwise, the UDID can also be verified using the ideviceinf o tool introduced in 
Chapter 2, Introduction to iOS Devices, as shown in the following screenshot: 


deft8 - ideviceinfo -s 
BasebandCertld: 2 
BasebandKeyHashlnformation : 

AKeyStatus: 2 

SKeyHash : 7MQEUyvzG4g j j Zc7KsNNAVTS8g4= 

SKeyStatus: 0 

BasebandSerialNumber: JxnwkQ== 

BasebandVersion: 5.2.00 
Boardld: 8 

BuildVersion : 11D201 
ChipID: 35136 
DeviceClass: iPhone 
DeviceColor: black 
DeviceName: EpiPhone 

DevicePublicKey : LS0tLSlCRUdJTiBSU0EgUFVCTElDXEtFWS0tLS0tCklJROpBb0dCQUtHUjZMOUM 
weE56dlhaNmdQd3hleUFlRUJGUjlQYmlmUmlNdTIvaDliOWppZXJpVVFYWnVFTE4KampZeW0zWQvbnd 
Za0hNOFhsVWx2YUJtMWdJS2NveWlyOE5JbVd3S2N5ak41b2pEbDE5NnJhWlBqllmZEVVJXYQpsUXVUUC8 
4SDZTRFJ2NONianU2OEg0MFJocURJYlNjbi9ollXAvd2s5Q2IydHdxWlFpQnNKQWdNQkFBRTOKLS0tLSl 
FTkQgUlNBIFBVQkxJQyBLRVktLS0tLQo= 

DielD : 2242306697049237152 
HardwareModel : N94AP 
PartitionType: 

ProductVersion: 7.1.1 
ProductionSOC : true 
ProtocolVersion: 2 
TelephonyCapability : true 
UniqueChipID: 3491071820683 

UniqueDevicelD : 26ccdbcb74b2ab8e9e97aa096883al0442c6f 2ef 
Unt rust edHostBUID : 0BD553BE- 17EB-544C-0626-47E8AE883479 
WiFiAddress: 84:fc:fe:d3:ac:e2 
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Lockdown certificate 

The first time you connect an unlocked iDevice to a computer and run the iTunes 
software, a pairing/ sync certificate, known as a lockdown certificate, is created 
on the computer's hard drive. Depending on the operating system in which iTunes 
is installed, lockdown certificates are stored in the following folders: 

• Windows 7/8: C : \Program Data\Apple\Lockdown 

• Windows Vista: c : \Users\ [username] \AppData\roaming\Apple 
Computer\Lockdown 

• Windows XP: C : \Documents and Settings\ [username] \Application 
Data\Apple Computer\Lockdown 

• Mac OS X: /var/db/ lockdown 

Within these paths, there is a lockdown certificate for each device that was ever 
connected to the computer. The certificate is a plist file called <udid> .plist, 
where udid corresponds with the unique identifier of the iDevice, as shown in the 
following screenshot: 



Once the certificate has been generated, you will no longer need to unlock the 
iDevice when you connect it to the computer and some of its content will be made 
available. The lockdown certificate remains valid until the user resets their device to 
factory settings. Of fundamental importance to the forensic acquisition of data is the 
fact that the certificate can be copied to another machine, and then you have partial 
access to the device even without knowing the lock code. 
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Starting from iOS 7.0, when you connect a device, two pop-up authorizations are 
displayed. The first popup appears on the computer in iTunes and it asks the user 
to click on Continue: 



The second popup appears on the iDevice screen once unlocked, and requires the 
user to click on the Trust button to allow pairing with the computer. 


Trust This Computer? 

Your settings and data will be 
accessible from this computer when 
connected. 

Trust Don’t Trust 




Search and seizure 

If you have to deal with a search and seizure of an iDevice, it is really important to 
perform at least three steps, as follows: 

1. Turn on Airplane Mode from Settings. 

2. If the device is unlocked, set Auto-Lock to Never from Settings | General 
Auto-Lock. 

3. Check whether the passcode is set or not from Settings | Passcode. 

1. If the passcode is set, acquire the content from the device as soon as 
possible (at least a logical acquisition) or keep the device charged. 

2. If the passcode is not set, turn it off. 
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4. If the device is locked or you identified that a passcode is set, seize any 
computer that was used to synchronize, or simply authorize the iDevice 
because there you can possibly find a lockdown certificate that will allow 
access to the data even if the device is protected with a passcode. 

iOS device acquisition 

Once you identified the specific model that you need to acquire, it becomes 
important to understand the best technique to use. The type of acquisition depends 
basically on the following five parameters: 

• Model 

• iOS version 

• Passcode (not set, simple passcode, or complex passcode) 

• Presence of a backup password 

• Is the device jailbroken? 

Nowadays, in the forensic community the following four techniques are used to 
access data stored on iDevices: 

• Direct: This technique consists of a direct interaction with a powered on 
device through non-forensic software 

• Backup or logical acquisition: This technique consists of a partial file system 
acquisition through the iTunes backup or using a forensic acquisition tool 
that uses the iTunes libraries 

• Advanced logical: This technique is based on lockdown services and was 
introduced for the first time by the researcher Jonathan Zdziarski 

• Physical: This technique generates a traditional forensic image for both the 
system and data partition 
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Direct acquisition 

The direct acquisition can be carried out with all iDevices, regardless of the operating 
system version. It requires that the device is not protected with a passcode, the 
passcode is known, or the analyst has a lockdown certificate. To make a direct 
acquisition, you can use various types of software known as iDevice browsers. Keep 
in mind that this activity is performed with a non-forensic tool that also permits writing 
operations, so the analyst must operate very carefully to avoid accidental erasure. The most 
used tools on Windows and Mac for this type of acquisition are iFunBox, iMazing, 
iExplorer, and WonderShare Dr.Fone. These tools require the installation of an 
updated version of iTunes because they use its libraries to communicate with the 
device. Before connecting the device to your computer, you should ensure that in 
iTunes | Preferences | Devices, the Prevent iPods, iPhones, and iPads from syncing 
automatically option is enabled, as shown in the following screenshot: 
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General Playback 
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Delete Backup 


[71 Prevent iPods, iPhones, and iPads from syncing automatically 



© G 




I 


sharing Store Parental Devices 


”V#' < 

Advanced 


[ 58 ] 



Chapter 3 


Backup or logical acquisition 

Backup or logical acquisition allows the analyst to recover more information than 
direct acquisition and in a more forensics way as it creates a backup for the device 
without altering any data. Regarding the passcode, the conditions are similar to 
what is explained for direct acquisition: the analyst must know the passcode or 
have a lockdown certificate to perform this kind of acquisition. Before connecting 
the device, you also need to disable automatic syncing in the iTunes software. This 
acquisition can be performed in two ways: using iTunes or using forensic software. 

Acquisition with iTunes backup 

The acquisition through iTunes can be done in a very simple way using the backup 
function of the device. Once you start iTunes, you need to click on the name of the 
device to access detailed information. At this point, you need to check how the 
device is configured in relation to the backup operation. There may be the following 
three cases: 

• The device is configured to perform a local backup not protected 
by a password 

• The device is configured to perform a local backup with a password 
previously set by the device owner 

• The device is configured to backup to iCloud 

In the first two cases, simply click on the Back Up Now button to start the backup 
on the computer, as shown in the following screenshot: 


Backups 

Automatically Back Up 

Manually Back Up and Restore 

iCloud 

Manually back up your iPhone to this computer or restore a 

Back up the most important data on your iPhone to 

backup stored on this computer. 

iCloud. 

Back Up Now Restore Backup... 

0 This computer 


A full backup of your iPhone will be stored on this 

Latest Backup: 

computer. 

Today 6:08 PM to this computer 

[ Encrypt iPhone backup 


This will also back up account passwords used on this 


iPhone. 


Change Password... 
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If the user has not chosen a password, the created backup can be analyzed with 
various tools. Otherwise, the analyst needs to crack the backup password before 
starting the analysis. Both the password cracking and backup structures will be 
discussed in Chapter 5, Evidence Acquisition and Analysis from iTunes Backup. 

In the third case, before starting the backup, the analyst must change the option 
from iCloud to This Computer. In this way, the backup will be performed locally 
and will not overwrite any existing data present in the previous backups on iCloud. 
The data acquisition from iCloud is explained in Chapter 6, Evidence Acquisition and 
Analysis from iCloud. 


Backups 

Automatically Back Up 

Manually Back Up and Restore 

0 iCloud 

Manually back up your iPhone to this computer or restore a 

Back up the most important data on your iPhone to 

backup stored on this computer. 

iCloud. 

Back Up Now Restore Backup... 

This computer 

A full backup of your iPhone will be stored on this 

Latest Backups: 

computer. 

10/10/2013 4:00 PM to iCloud 

G Encrypt iPhone backup 

Today 6:08 PM to this computer 

This will also back up account passwords used on this 
iPhone. 


Change Password... 



Logical acquisition with forensic tools 

In the market, there are various forensic tools that can perform backup or logical 
acquisition, for example Cellebrite UFED 4PC/UFED Touch/UFED Physical 
Analyzer, Oxygen Forensic® Suite Standard/ Analyst, Mobile Phone Examiner, 
MobilEdit!, Lantern, and XRY. For a detailed reference list, refer to Appendix B, 
Tools for iOS Forensics. 
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Case study - logical acquisition with Oxygen 
Forensic® Suite 

The Oxygen Forensic® Suite software is a commercial product that allows the logical 
acquisition of an iOS device. It is available in two licensing modes: Standard and 
Analyst. On the Oxygen website, you can request a freeware version of the Standard 
license, which allows data to be extracted from the device but offers limited analysis 
capabilities. To start the extraction, it is necessary to click on the Connect device 
button from the main screen, as shown in the following screenshot: 


jjp Oxygen Forensic® Suite 2014 Analyst Educational 
File View Tools Service Help 
CM AH devices ► 


Connect device * Import backup file 


Devices ; 

BSE%} 


Connect device 

Open Oxygen Forensic® Extractor 




i) 


The software will then begin the extraction procedure, and you can choose the type 
of connection you want to start. You can choose between Auto device connection 
and Manual device selection, as shown in the following screenshot. For iDevices, it 
is generally sufficient to select the first option. 


Auto device connection 

-«i 

Auto mode connects the first device detected on PC. 



Manual device selection 

Manual selection mode allows to choose connection type and device model from 
the list. 
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The software starts searching for a connected iDevice. If the device is locked with 
a passcode, the software asks the analyst to insert the passcode or to provide a 
lockdown certificate. The software provides the UDID for the iDevice, so it is easier 
for the analyst to search it on a computer previously synced with the device itself. If 
the analyst knows the passcode, he/ she needs to insert it into the device, authorize 
the computer, and click on I entered the passcode. Press to connect. Otherwise, 
he/ she can choose the Select lockdown plist option and provide the tool with the 
lockdown certificate. 
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If the certificate is correct, the software displays a confirmation screen with a button 
to start the connection to the device, as shown in the following screenshot: 


Option 2 

Find lockdown plist on PC to unlock the device: 



The file is correct. Press to connect 


Required plist: 

26ccdbcb74b2ab8e9e97aa096883al0442c6f2ef.plist 


At this point, the software displays information specific to the connected device 
(model, IMEI number, iOS version, and boot loader), as shown in the following 
screenshot: 



The investigator can then enter information about the case, and if known, the backup 
password for the device. 


Device alias 
Case number 
Evidence number 
Inspector 
[Tunes password 


Apple iPhone 4S 


OOO-IOS BOOK 


Mattia iPhone 


Mattia Epifani 


□ 


Enter the password 


Hash algorithm 
Device owner 
Owner email 
Owner phone number 


SHA-2 


Mattia Epifani 


Edit 


( | Parse applications databases and collect data for analytical sections (Aggregated Contacts, Links and Stats, etc.). 

if not checked you can do it later in Oxygen Forensic® Suite. Read more. . . 
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Then, the analyst can select the data they want to extract, by choosing the ones 
supported by this method, as shown in the following screenshot: 


0 Apple iPhone 4S 

0 Applications 
0 Calendar 
0 Dictionaries 
0 Event Log 
0 File structure 

o Selective reading 


© Full reading 

0 Files from internal memory 
0 Locations 
0 Messages 
0 Passwords 
0 Phonebook 
0 Web Browsers 





When clicking on the Next button, the acquisition procedure starts and displays a 
progress bar. It should be noted that during the extraction, the software also proceeds 
with parsing all the data found, including the search for deleted records within 
the database stored in the phone (for example, calls, SMS, chat, and so on). For this 
reason, the acquisition may require a large amount of time, but after that the analyst 
is ready to parse the data within the software, as shown in the following screenshot: 



Data extraction using iTunes backup procedure 

Extracting (Tunes backup 
Total objects: 471 
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If the device has a backup password previously set by the user. Oxygen can work 
with Passware Kit Forensic (if installed on the computer used to acquire data) trying 
to make an attack on the backup password. If the examiner knows the password, 
he/ she has the chance to finish the attack and enter it manually. At the end of the 
cracking process, if the password has been detected, the software proceeds with the 
extraction of all the data, in a similar way as described previously. If the password is 
not found, the software extracts only the multimedia content (images, video, books, 
and so on) and does not provide information about the applications preinstalled or 
installed by the user. 
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Advanced logical acquisition 


The advanced logical acquisition method was first introduced by the iOS Security 
researcher Jonathan Zdziarski, in his tool, Waterboard, released in June 2013. The 
author's description in his article states that, 

" Waterboard is an open source iOS forensic imaging tool, capable of performing 
an advanced logical acquisition ofiOS devices by utilizing extended services and 
back doors in Apple's built-in lockdown services. These services can bypass Apple's 
mobile backup encryption and other encryption to deliver a clear text copy of much 
of the file system to any machine that can or has previously paired with the device . " 

A detailed explanation can be found in the paper. Identifying Back Doors, Attack 
Points, and Surveillance Mechanisms in iOS Devices, Jonathan Zdziarski (see Appendix A, 
References). Currently, the Waterboard tool is no longer available and supported 
by Zdziarski, but there are few forensic tools offering the same feature: UFED 
Physical Analyzer, Oxygen Forensics Toolkit, and AccessData MPE. 


Case study - advanced logical acquisition with 
UFED Physical Analyzer 


UFED Physical Analyzer is a software product from Cellebrite UFED and supplied 
with the purchase of UFED Touch or UFED 4PC. The advanced logical acquisition 
in UFED Physical Analyzer can be started through the main interface of the software 
under the menu item. Extract | iOS Device Extraction, as shown in the following 
screenshot: 


|y UFED Physical Analyzer 3.9.67 



File View Tools Extract Python Plug-ins Report Help 


S iOS Device Extraction Ctrl+I 


Ctrl+I 


0 Extract GPS/Mass Storage Device... Ctrl+J 
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The analyst can now choose Advanced Logical extraction: 


! S| iOS Device Extraction 

iOS Device Data Extraction Wizard 

Choose an extraction type: 


Advanced Logical extraction 


Physical mode 


Extract the device phonebook, call log, SMSs, iMessages, 
MMSs, emails ( from jailbroken devices ), calendar, 
application data, pictures, audio, video, ringtones and 
more. 

Advance logical extraction is the fastest extraction. 
Extraction results can be viewed via the UFED Logical 
Analyzer and the UFED Physical Analyzer. 


(!) 


The device must be on. 


The software requires you to connect the turned-on device using the correct cable 
(30-pin connector or Lightning 8-pin connector), as follows: 







Connect the device to your 
computer. 


Next 


'ij iOS Advanced Logical 3.9 


nnect the device 


Connects Prepares Extract data 



Make sure the device is on. 


Back to start 
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The device must be powered on and unlocked; otherwise, the software displays an 
error message stating The iOS device is locked. To proceed, the analyst must unlock 
the device with the passcode or copy the device lockdown certificate inside the 
correct folder. 



The software checks whether a password is set on the backup device and shows 
two possible methods for the acquisition: Method 1 corresponds to a device backup 
or logical acquisition, while Method 2 allows the analyst to extract data using the 
lockdown service (advanced logical acquisition). 

If the device has a backup password with Method 1, the analyst must know the 
password or crack it (as explained in Chapter 5, Evidence Acquisition and Analysis from 
iTunes Backup), while with Method 2, it is possible to extract part of the data also 
without cracking the backup password. For this reason, when you need to acquire a 
device with a backup password, it is advisable to perform both acquisitions. In this 
way, you can definitely see some information thanks to Method 2 and try to recover 
more details by cracking the encrypted acquisition carried out with Method 1. 


Connect> Prepares Extract data 

The iTunes backup of this device ( iPhone with iOS 7.1.1 ) is not encrypted. 

The data extracted by each method will vary based on the device model and iOS version. 

Method 1 

Extraction of a rich set of data including call logs, SMSs, MMSs, applications data, data files 
and notes. Recommended 


Method 2 

Extraction of a rich set of data including SMSs, MMSs, applications data and data files. 

Some data types are not extracted (More info...). Extended extraction time. 



[ 68 ] 


Chapter 3 


Once you select the extraction method, the software initiates the procedure requiring 
the user to set the destination folder. Scanning takes a variable time depending on the 
chosen method (Method 1 is performed in a single step and is faster than Method 2, 
which requires three steps), the memory size of the device, and the space occupied by 
files (especially media files such as pictures, videos, music, and so on). 

Once the acquisition is complete, the software displays a report showing the amount 
of extracted data and the time taken, as shown in the following screenshot. From this 
window, the analyst can choose whether to return to the home screen or open the 
acquisition made in UFED Physical Analyzer for the analysis activities. 


Connect> Prepare> Extract data 

Extraction completed. ✓ 

Extraction size: 244,72 MB 
Time elapsed: 00:57 


Physical acquisition with forensic tools 

Physical acquisition allows most of the content from an iOS device to be extracted. 
Unlike the backup or logical and advanced logical methods, the analyst can obtain 
a forensic copy of the device memory and access all the files stored there. Some 
examples of information of interest that can be retrieved only through a physical 
acquisition are the e-mail messages and log files of the device. The physical 
acquisition is based on hardware vulnerabilities during the boot process. For this 
reason, this operation is not invasive on the data stored on the iDevice because 
it directly uploads into RAM an alternative operating system through which it 
can launch acquisition commands. Currently, it is supported on the first iPhone 
model/3G/3GS/4, iPad 1, and iPod touch 1/2/3/4. 

If the device is not protected by a passcode, the physical acquisition can be carried 
out without problems by creating an image of both system and data partitions. 

If the iDevice is protected with a passcode, it is necessary to distinguish the following 
two cases: 

• If the passcode is simple (4 digits), it can be cracked in 20 to 30 minutes, 
depending on the device type 
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• If the passcode is complex (multidigit or alphanumeric) the analyst has the 
following two options: 

0 Try a brute force or a dictionary attack on the passcode. 

0 Perform the physical acquisition without cracking the passcode. 

In this case, the physical acquisition will decode all the data whose 
encryption does not depend on the passcode, while other data (for 
example, e-mail, stored password, and so on) cannot be decrypted. 

Several forensic tools can perform physical acquisition, such as iPhone data 
protection tools, UFED Physical Analyzer, Elcomsoft iOS Forensic Toolkit, Lantern, 
AccessData MPE+, iXAM, and XRY. For a more comprehensive and detailed list 
of tools, books, and papers related to physical acquisition, refer to Appendix A, 
References, and Appendix B, Tools for iOS Forensics. 

Case study - physical acquisition with UFED 
Physical Analyzer 

The physical acquisition in UFED Physical Analyzer can be started through the 
main interface of the software under the menu item. Extract | iOS Device 
Extraction, as follows: 


9| iOS Device Extraction 




iOS Device Data Extraction Wizard 

Choose an extraction type: 


Advanced Logical extraction 


Physical mode 


Physical mode contains three types of extraction: 

• Physical extraction 

• File system extraction 

• Passcode recovery/test 

The device must be off. 

Supported devices running iOS 3.0 or higher: iPhone 
0 2G/3G/3GS/4, iPad 1, iPod Touch 1G/2G/3G/4G, 
iPod Nano 5G 
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The device must be powered off and then the analyst can connect the correct cable to 
the computer (and not yet to the iDevice). 


iOS Physical 3.9 


turn the device off 


Connect > Prepare > Extract data 



Press and hold the Power 
button. 



Slide to power off. 


53 



Connect Adapter A with 
T-110 (or Cable #110) to the 
computer and not to the 
device. 


Back to start 


The device is off > 


Now, the investigator must connect the device in Recovery mode. It means that they 
need to press and hold the Home button and connect the device, as shown in the 
following screenshot: 


l 1=1 1 


1; iOS Physical 3.9 


Connect the device in recovery mode 


Connect > Prepare > Extract data 


Lai 


Press and hold the Home 
button. 



Connect the cable while still 
holding the Home button. 


lie 

itj 


Keep holding the home 
button even after this 
image appears. 


< Back 
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The software displays the information related to the device (the iOS version, serial 
number, board, boot firmware, chip ID, and so on), as follows: 


| iOS Physical 3.9 

[ C=J | 


Successfully entered Recovery Mode. 




Connect > Prepare > Extract data 

You can release the Home button now. 

Device Info: 


Device model: 
iOS version: 
Serial number: 
ECID: 

Board: 


iPad (original) 

5.1-5.1.1 

V5035AUJETV 

000003A72E1503F4 

k48ap 


iBoot firmware version: iBoot-1219.62.15 
Chip ID: 8930 


Copy 



Now, the device must be set in DFU mode by pressing the Power and Home 
buttons together, and release the Power button 3 seconds after the device screen 
becomes black. 


i iOS Physical 3.9 

□ 

r] sri 

Prepare the device for physical extraction 




Connect > Prepare > Extract data 


The device needs to be in DFU mode (Device Firmware Update) to enable data extraction. 

V 





Press and hold both the 
Power and Flome buttons. 


When the device screen 
turns black, wait 3 seconds. 


Release only the power 
button. Keep holding the 
home button. 


< Back 
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The software uploads in memory the boot loader and provides the analyst with two 
options: Physical Extraction and File System Extraction, as shown in the following 
screenshot. The first one extracts a physical image of the encrypted data partition, so 
the extraction can be viewed in UFED Physical Analyzer and in other analysis tools. 
UFED also provides information about the passcode protection. If the device is not 
protected by a passcode, it can start the acquisition immediately and decrypt all 
the files. 


i iOS Physical 3.9 

czi 

S l 

_ 

oose an extraction method 




Connect > Prepare > Extract data 

The device (iPad (original) with iOS 5.1-5.1.1) is encrypted and it is not protected by passcode. 


Physical Extraction 


Extract a physical image of the device's encrypted storage. The extraction can be 
viewed in UFED Physical Analyzer. 


File System Extraction Extract all files from the device to your computer. 


Extraction and Encryption FAQ 


Turn off the device and exit 


[ 73 ] 


Evidence Acquisition from iDevices 


Otherwise, it depends by the passcode type. If the device has a simple passcode 
(4 digits), it can be cracked in 20 to 30 minutes (depending on the iDevice type) by 
choosing the Passcode recovery option. 


The device (iPad (original) with iOS 5. 1-5. 1.1) is encrypted and protected with a simple passcode. All data can be fully 
extracted and decrypted in UFED Physical Analyzer. The passcode can be recovered automatically, if you don't know the 
passcode. 


I • J Passcode recovery 

Recover the passcode so you can unlock and use the device. 




Connect > Prepare > Extract data 

The recovery might complete sooner than the time displayed below. 
Maximum time remaining: 00:30:33 


At the end of the cracking stage, the software shows the passcode and gives the 
opportunity to start the acquisition, as follows: 


iOS Physical 3.9 


asscode recovered successfully 


Connect > Prepare > Extract data 
Passcode recovered: '1598' in 00:04:32. 


I 1=1 I ' 


100% 


The passcode has been saved for this session. 


< Back to extraction options 


Turn off the device and exit 
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If the device has a complex passcode, the analyst has two options: acquire a physical 
image without cracking the passcode (this means that some data will not be 
available, for example, e-mail and stored password) or try to crack the passcode 
with a dictionary attack. 


The device (iPad (original) with iOS 5. 1-5. 1.1) is encrypted and protected with a complex passcode. All data can be fully 
extracted and decrypted if you have the passcode. Without the passcode, some files (such as part of the emails and 
saved passwords) will still be encrypted. 



Test passcodes 


Test a passcode as many times as you like without locking the device. 


This device uses a complex passcode. It cannot be recovered automatically. 


Use this box to try as many passcodes as you wish. This will not lock the phone or erase the data. 


From Dictionary 


The passcode may consist of any combination of numbers, letters and symbols. 


The iOS device jailbreaking 

iOS jailbreaking is the process of removing limitations on the iOS devices through the 
use of software and hardware exploits. It enables root access to the iOS file system 
and allows additional applications not available in the official Apple App Store to be 
downloaded. Various jailbreaking tools have been developed; an always updated list 
can be found at http : //theiphonewiki . com/wiki/Jailbreak. Currently, the latest 
available tools are EvasiOn (http : / / evasiOn.com/), Pangu (http : //en.pangu . io/), 
and Taig (http : //www. taig . com/en/). 

Jailbreaking is an invasive activity on the device system partition, so it cannot be 
considered as a forensic operation. However, it is useful to note that for newer 
devices (iPhone 4s/5/5C, iPad 2/ 3/4/ Mini, and iPod Touch 5), it is the only way 
to make a physical acquisition. It is therefore necessary that the device is already 
jailbroken or that the investigator can jailbreak it. On newer devices, in order to 
jailbreak the device, the analyst needs to know the passcode, since it requires 
actions to be performed directly on the unlocked device. 
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Case study -jailbreaking and physical 
acquisition with Elcomsoft iOS 
Forensic Toolkit 

Only Elcomsoft iOS Forensic Toolkit supports the physical acquisition of new 
devices and it can be used on Windows or Mac. The following screenshots show 
the acquisition procedure performed on an iPad mini first generation device with 
passcode known and iOS 6.1.2. 

The device was connected to a computer with Windows 7 operating system and 
jailbroken with evasiOn 1.5.3, as shown in the following screenshot. The step in 
which the software prompts you to unlock the device to complete jailbreaking 
should be noted. 



After jailbreaking, the software Elcomsoft iOS Forensic Toolkit for jailbroken devices 
was executed. 


Welcome to Elcomsoft iOS Forensic Toolkit 
This is driver script version 1.21/Win for A5 + 

<c> 2011-2013 Elcomsoft Co. Ltd. 


Please select an action: 

1 N/A 

2 N/A 

3 GET PASSCODE - Recover device passcode 

4 GET KEYS — Extract device keys and keychain data 

5 DECRYPT KEYCHAIN 

6 IMAGE DISK — Acquire physical image of the device filesystem 

7 DECRYPT DISK 

8 TAR FILES — Acquire user’s files from the device as a tarball 

9 REBOOT — Reboot the device 

0 EXIT 
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The wizard is very simple and basically involves the following three steps: 
• Extraction of the encryption keys: 



• Physical acquisition of the system partition (in plain text) and data partition 
(encrypted): 


We leone to Elconsoft iOS Forensic Toolkit 
This is driver script version 1.21/Win for A5+ 

<c> 2011-2013 Elcomsoft Co. Ltd. 


Please select partition to image: 

1 System <rdisk0slsl> — this one is NOT ENCRVPTED 

2 User <rdisk0sls2> — this one is ENCRVPTED 

0 Back 


> * 



please select partition to image: 

1 System <rdisk0slsl> — this one is NOT ENCRVPTED 

2 User <rdisk0sls2> — this one is ENCRVPTED 


0 Back 
>: 2 

Save image to file <user.dmg>: 

rawwrite dd for windows version 0.6beta3. 

Written by John Newbigin < jnPit .swin .edu.au> 

This program is couered by terms of the GPL Uersion 2. 

0k rootGlocalhost' s password: 

14,393,856k 
099616 +0 records in 
899616+0 records out 
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• Decryption of the data partition with the extracted keys: 



This is iOS User Partition Decryption Tool 
Part of Elcomsoft iOS Forensic Toolkit 
Uersion 1.15 built on Jun 4 2012 


<c> 2011-2012 Elcomsoft Co. Ltd. 


[INFO] Complete key set is loaded, everything should be decryptable . 
[INFO] Image encryption statistics: 

[INFO] 8141 files total: 7958 encrypted + 183 not encrypted. 

[INFO] 7958 files can be decrypted <out of 7958 encrypted files>. 

[INFO] Input image contains 3598464 blocks of 4096 bytes. 

[100*] 13.73 of 13.73 Gb decrypted 

SHAl<user-decrypted.dmg> = 2168f cl54d71f eb4964d8cf 0e4bf 2bbb746c885a 
Press 'Enter' to continue 


Apple support for law enforcement 

On a regular basis, Apple publishes a document on its website called Legal Process 
Guidelines for U.S. Law Enforcement. These guidelines contain information on how 
to request Apple support to recover information from iCloud or from an iDevice, 
and specify the data that Apple, in some cases, can extract from a passcode-protected 
device. Apple's latest available version states (https : //www. apple . com/privacy/ 
docs/legal-process-guidelines-us .pdf) that: 

" For all devices running iOS 8.0 and later versions, Apple will no longer be 
performing iOS data extractions as the data sought will be encrypted and Apple will 
not possess the encryption key. For iOS devices running iOS versions earlier than iOS 
8.0, upon receipt of a valid search warrant issued upon a shmving of probable cause, 

Apple can extract certain categories of active data from passcode locked iOS devices. 
Specifically, the user generated active files on an iOS device that are contained in 
Apple's native apps and for which the data is not encrypted using the passcode ("user 
generated active files" ), can be extracted and provided to law enforcement on external 
media. Apple can perform this data extraction process on iOS devices running iOS 4 
through iOS 7. Please note the only categories of user generated active files that can be 
provided to law enforcement, pursuant to a valid search warrant, are: SMS, iMessage, 
MMS, photos, videos, contacts, audio recording, arid call histonj. Apple cannot 
provide: email, calendar entries, or any third-party app data." 
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This method was used, for example, by the South Africa police, who requested help 
to Apple in order to access data stored on Oscar Pistorious 1 iPhone. 


Search and seizure flowchart 

In the following diagram, we provide a flowchart useful during the search and 
seizure phase of iDevices. It illustrates the procedure to follow when an iDevice is 
found. In particular, it describes how to proceed if the iDevice is turned on or off and 
whether it is locked with a passcode. 
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Extraction flowchart 

In this section, we provide two flowcharts useful during the acquisition phase 
of iDevices. 

The first flowchart illustrates the procedure to follow for old iDevices extraction (for 
example, iPhone 4, iPad 1, and so on) where physical acquisition is always possible. 
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The second flowchart illustrates the procedure to follow for newer iDevices 
extraction (for example, iPhone 4s/ 5, iPad 2/3/4, and so on) where physical 
acquisition is not always possible. 
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Summary 

In this chapter, we introduced the four most-used methods to acquire data from 
iDevices: direct, backup or logical, advanced logical, and physical. The backup 
and logical acquisitions can be performed on any device but the device needs to be 
unlocked, or the analyst needs to know the passcode, or the analyst has a lockdown 
certificate extracted from a computer the device was previously synced with. If the 
user sets a password on the backup, the resulting acquisition is encrypted and so the 
analyst needs to try cracking the backup password (this topic is covered in detail in 
Chapter 5, Evidence Acquisition and Analysis from iTunes Backup). If the device is locked 
and the analyst doesn't know the code, or he/ she doesn't have a lockdown certificate, 
only a very limited acquisition is possible: device name, device UDID, device Wi-Fi 
MAC address, and iOS version. The advanced logical acquisition can be performed 
with the same conditions of the backup or logical acquisition, but it can bypass the 
restrictions imposed by the backup password and extract the contents in clear text 
without the need to crack the backup password. The physical acquisition depends on 
the device and the operating system installed as follows: 

• iPhone 2G/3G/3GS and iPod touch 1/2 with iOS 3 don't implement 
encryption and so it is always possible to perform a physical acquisition 
and the lock code can be cracked instantaneously. The resulting image is 
not encrypted. So, it is possible to carve deleted records. 

• On iPhone 3GS/4, iPad 1, and iPod touch 3/4 with iOS 4/5 /6/7, it is always 
possible to perform a physical acquisition. If the lock code is 4-digits long, it 
can be cracked in less than 20 minutes. So, it is possible to recover all the files. 
If a complex passcode is in use, the analyst can try to crack it with a brute force 
or dictionary attack. If it's not possible to crack it, it is possible to perform a 
physical acquisition and decode the file system (with the extracted file system 
key) and all the files whose encryption does not depend on passcode. 

• On iPhone 4s/ 5/ 5C, iPad2, iPad mini 1, and iPod touch 5 with iOS 4/5/6/ 7, 
physical acquisition is possible only if the device is already jailbroken or if it 
is possible to jailbreak it (it means that the analyst must know the code). 

• On iPhone 5s/ 6/6 Plus, iPad Air, and iPad mini 2, it is not possible 
currently to perform a physical acquisition although there are studies 
and researches on it. 

In the next chapter, we will introduce you with the most interesting and useful 
artifacts that can be found on iDevices. 
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Self-test questions 

1. How is the way in which iOS devices operate to upgrade the operating 
system called? 

1. Normal 

2. Recovery 

3. Device Firmware Upgrade 

4. Update 

2. Where are the lockdown certificates stored in Windows 7/8? 

1. C:\Program Data\Apple\Lockdown 

2. C : \Users\ [username] \AppData\Roaming\Apple Computer\ 
Lockdown 

3. C:\Users\fusernameJ\AppData\Local\Apple Computer\ 
Lockdown 

4. C:\Windows\Apple Computer\Lockdown 

3. Which of the following tools can be used to perform a physical acquisition of 
a jailbroken iPhone 4s? 

1. iOS Forensic Toolkit 

2. Oxygen Forensics Suite 

3. Cellebrite UFED Touch 

4. Mobile Phone Examiner 

4. What is the latest iPhone model that can be physically acquired even if it is 
not jailbroken? 

1. iPhone 3GS 

2. iPhone 4 

3. iPhone 5 

4. iPhone 6 

5. How is the device identifier for iOS devices called? 

1. ECID 

2. UDID 

3. Serial Number 

4. MAC Address 
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Analyzing iOS Devices 


The goal of this chapter is to guide you to the analysis of important artifacts that are 
present on an iDevice. In the first part, the focus will be on the artifacts generated by 
the features of the system or by the interaction of the user with it, referring mainly 
to the iOS configuration files and to the iOS native applications. In the second part, 
we will go through the manual analysis of some of the most common third-party 
applications, with the goal of giving you a general approach that you will be able to 
apply to all the different apps you will encounter in your way. About this topic, there 
are also several publications available, some of which you will find the references in 
the Appendix A, References. We will conclude with a case study to provide you also 
with a proprietary analysis software example. All of this focusing on the two main 
formats used to store data: SQLite databases and property list (plist) files. 


How data are stored 

Before actually starting the analysis of the artifacts we can find inside an iDevice, let's 
take a look at how data are structured and in which format they are stored. Inside the 
Apple file system, most of the user data are stored under /private/var/mobile/, or 
simply /User/ that is a symlink pointing to the previous directory: 

# tree -d -L 2 /private/var/mobile/ 

/private/var/mobile/ 

|-- Applications 

I |-- 18073081- 5AA9 -4E02-B6B7 -4AD8DAF7E677 
| |-- 1B88 0E57 - 3 14B-41E2 - 87 9E- 18 9F42 3DBE0 5 

| |-- 22B5EA2 6 -BD8A-4F53 -8557-90656158B46E 

|-- Containers 


Documents 
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' - - com. apple . springboard. settings 
-- Library 

| - - Accounts 

|-- AddressBook 

|-- AggregateDictionary 

| - - Inboxes 
| - - Keyboard 
| - - Logs 
| - - Mail 

|-- Preferences 
| - - SMS 
| - - Safari 

|-- Sof twareUpdate 
|-- Spotlight 
|-- SpringBoard 

-- Media 

| - - Airlock 

|-- ApplicationArchives 
| - - Books 
|-- DCIM 
I - - Downloads 


MobileSof twareUpdate 

While you may easily guess the meaning of most of the folders, you may wonder what 
those names inside the Applications folder are. These are the names of the apps 
represented by their Universally Unique ID (UUID). Inside each application folder, 
you will see, most of the times, the same structure that looks something like this: 

# tree -L 1 FAA3360F- 18A5 -4EA2 -A33 1-53F2A49C5A8E/ 

FAA3 3 6 OF- 18A5 - 4EA2 -A3 3 1 - 53F2A4 9C5A8E/ 

|-- Documents 
| - - Library 
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| - - StoreKit 

[-- Telegram. app 

| - - iTunesArtwork 

|-- iTunesMetadata.plist 

' - - tmp 

In particular: 

• /private/var/mobile/Application: This path is the actual path where / 
User/Application also points to 

• /User/Applications/########-####-####-####-############: In this 
path, the # symbols represent the UUID 

• <Application_Home>/AppName . app: This file is the application bundle, 
which will not be backed up 

• <Appl icat ion_Home > / Document s / : This path contains application-specific 
data files 

• <Application_Home>/Library/ : This path contains application-specific files 

• <Application_Home>/Library/Preferences/: This path contains 
application-preference files 

• <Application_Home>/Library/Caches/: This path contains application- 
specific support files, which will not be backed up 

• <Application_Home>/ tmp/ : This path contains temporary files not 
persistent between application launches, which will not be backed up. 



It has to be noted that, however, these paths have slightly 
changed with the introduction of iOS 8. In fact, the path, / 
private/var/mobile/Application/, has been changed 
to /private/var/mobile/Containers/Bundle/ 
Application/. Keep this in mind also for the other paths 
you will encounter in the rest of this book. 
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From the root application folder, the iTunesMetadata . plist contains, among 
others, information related to the product, the Apple account name, and the date of 
purchase, which may turn useful in some cases. You will find one of these files in 
each application directory. 


▼ accountlnfo 

Dictionary 

(12 items) 


AccountURLBagType 

String 

production 


CreditDisplayString 

String 



AccountServiceTypes 

Number 

0 


DidFallbackToPassword 

Boolean 

NO 

A 

▼ 

AccountStoreFront 

String 

143450-2,21 ab:XYZl 


AccountlsNewCustomer 

Boolean 

NO 

A 

▼ 

AccountKind 

Number 

0 


AccountAvailableServiceTypes 

Number 

0 


ApplelD 

String 

demo gigmail.com 


AccountSoclalEnabled 

Boolean 

NO 

A 

▼ 

AccountSource 

String 

device 


DSPersonID 

Number 

1.627.312.175 


purchaseDate 

String 

2014-09-16T13:32:572 



Regarding the format that Apple uses to store its files, you will encounter mostly 
two types: plist, mainly used for configuration files, and SQLite databases. We 
will look more into details about both formats in the next section. 

Timestamps 

A very important aspect that you have to pay attention to is the timestamp 
convention used. This is crucial especially if you are analyzing the artifacts manually 
without one of the specialized commercial tools. Instead of the classical UNIX Epoch 
Time, which represents the number of second elapsed since January 1, 1970 00:00:00, 
the iOS devices adopt the MAC Absolute Time, which represents the number of 
seconds elapsed since January 1, 2001 00:00:00. The difference between the two is 
978,307,200 seconds. There are several resources available online that you could use 
to calculate it, or else you do it on your Mac by adding the preceding value to the 
MAC Absolute Time value, as in the following example: 

$ date -u -r 'echo '314335349 + 978307200' | be' 

Sat Dec 18 03:22:29 UTC 2010 

Remember to insert the -u switch in order to display it in UTC 
time or else the system will give you an output on your local 
time (or whatever is set as the local time in your machine). 
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Databases 

The most common type of data storage on the iOS devices (just like on other mobile 
platforms in general) is the use of the SQLite databases. Both native as well as 
third-party applications heavily use SQLite database files to store their data, as we 
will see more in details later. 

There are several tools available, both free/ open source and commercial, such 
as SQLite Database Browser that offers a GUI interface, as well as the SQLite 
command-line utility, available from the official SQLite website, http : //www . 
sqlite . org/. If you are using Mac OS X as machine for the analysis, it will come 
with the sqlite3 utility preinstalled. 

The property list files 

The property list files, or pi is t, are the other most common data formats used in 
the iOS devices (and in Mac OS X as well). The plist files are mainly used to store 
configuration information, preferences, and settings. Its format can be compared to 
the XML format and are usually represented as binary or plain text files. 

A common tool used for parsing a plist file under Windows is plist Editor Pro, while 
if you are using Mac OS X you can either use XCode to view the plist files or the 
command-line utility, plutil. 

The iOS configuration files 

iOS has many preference and configuration files where it stores tons of data that 
may turn valuable during an investigation. This section wants to provide you with 
a detailed (although not exhaustive) list of some of those that are useful to keep in 
mind, as follows: 

• Account and device information: Check out /private/var/root/Library/ 
Lockdown/data_ark. plist. It contains various information about the device 
and about its account holder. 

• Account information: Have a look at /private/var/mobile/Library/ 
Account s /Account s 3 . sqlite. This file contains account information. 

• Account information: Go to /private/var/mobile/Library/DataAccess/ 
Accountlnf ormation . plist. You'll find account information used to set up 
apps here. 

• Airplane Mode: Check /private/var/root/Library/Preferences/com. 
apple . preferences . network .plist. This specifies whether Airplane 
Mode is presently enabled on the device. 


[ 89 ] 



Analyzing iOS Devices 


• Application installed list: Now have a look at /private/var/mobile/ 
Library/ Caches /com . apple .mobile . installation .pi ist. It contains 
a list of all installed applications on the device and the file paths to each 
application. This is useful to map application GUIDs to specific apps. 

• AppStore settings: Check /private/var/mobile/Library/Pref erences/ 
com. apple .AppStore .pi ist. It contains the last store search. 

• Configuration information and settings: Go to /private/var/mobile/ 
Library/Preferences/. It contains the plist files with the system 
configuration and the settings of the Apple apps. 

• Lockdown certificate info: Navigate to /private/var/ root/Library/ 
Lockdown/pair_records/. It contains information about the lockdown/ 
pairing certificates and also the computers the iOS device has been paired with. 

• Network information: Go to /private/var/preferences/ 

SystemConf igurat ion/ com. apple . network . identification .plist. It 
contains a cache of the IP networking information as the previous network 
addresses, router addresses, and name servers used. A timestamp for each 
network is also provided. 

• Notification log: Check out /private/var/mobile/Library/ 
BullitenBoard/ClearedSections .plist. It's a log of cleared notifications. 

• Passwords: Go to /private/var/Keychains/. It contains the password 
saved in iDevice. 

• SIM card info: Now have a look at /private/var/wireless/Library/ 
Preferences/ com. apple . commcenter .plist. It contains the ICCID and 
IMSI of the SIM card last used in the device. 

• Springboard: Go through /private/var/mobile/Library/Preferences/ 
com . apple . springboard . plist. It contains the order of applications in each 
screen. 

• System Logs: Check /private/var/logs/. This folder contains the iOS 
system logs. 

• Wi-Fi networks: Now see /private/var/preferences/ 

SystemConf igurat ion/ com. apple .wifi. plist. It contains the list of the 
known Wi-Fi networks, the timestamp of last joined, and several other useful 
information. For more information on this and a deeper analysis, you can 
have a look at the article available at http : // articles . f orensicf ocus . 
com/2013/09/03/ from- iphone -to-access -point/. 
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Native iOS apps 

iDevices come with some native applications already installed by Apple, such as 
Safari browser, e-mail client, calendar, and utilities linked to some basic phone 
functionalities, such as the Camera, Call History, or the SMS/iMessage. Most of the 
evidence produced by these native applications and functionalities are located, other 
than inside the application folders themselves, in the Library folder: 

• /private/var/mobile/Library/: In case of physical acquisition or inside 
the device 

• Backup Service/mobile/Library/: In case of File System acquisition 

• Library: In case of logical acquisition 

Here, we can find data related to communication, preferences, Internet history and 
cache, keyboard keystrokes, and much more. Other than the Library folder, the 
other very important location is the Media folder, /private/var/mobile/Media/, 
where user-created pictures and audio files are usually stored among other things. 

Address book 

As one could imagine, the AddressBook folder under Library refers to the 
information present in the Contact application related to the personal contacts 
and are stored in SQLite database format. There are two databases of interest: 
AddressBook . sqlitedb and AddressBooklmages . sqlitedb. 

AddressBook. sqlitedb contains the actual information saved for each contact, such 
as name, surname, phone number, e-mail address, and so on. In this database, the 
tables of interest containing the information mentioned are mainly ABPerson and 
ABMultiValue. 

AddressBooklmages . sqlitedb is the database containing the images that the user 
may have associated to given contact, which is basically the image appearing every 
time a call to that contact is made or received. The main table of interest in this 
database is ABFullSizelmage. 

Audio recordings 

The Voice Memos app, preinstalled on the iDevices, lets the user record voice 
memos. These memos are stored in /private/var/mobile/Media/Recordings/. 
Inside this folder, there is the Recordings . db database that contains information 
about each voice memo stored, such as the date, duration, memo name, and filename 
of the actual audio file, which is stored in the same folder. 
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Calendar 

The Calendar application allows the user to manually create events, as well as sync 
them with other application, such as the related Mac OS X version of the app or other 
third-party applications and services. Such information is stored in two databases: 

• /private/var/mobile/Library/Calendar/Calendar . sqlitedb 

• /private/var/mobile/Library/ Calendar/Extras . db 

The Calendar . sqlitedb database contains basically all the information related to 
the events present in the calendar, while Extras . db contains other information such 
as the Calendar settings or extra details to alarms linked to certain calendar event. 

# sqlite3 Extras. db 

SQLite version 3.7.13 

Enter ".help" for instructions 

sqlite> .mode line 

sqlite> .tables 

ZALARM ZSETTING Z_ METADATA ZPRIMARYKEY 

sqlite> SELECT * FROM ZALARM; 

Z_PK = 1 
Z_ENT = 1 
ZOPT = 1 
ZALARMID = 1 
ZALLDAY = 

ZENTITYID = 53 
ZISDELAYEDPROXIMITYALARM = 

ZACKNOWLEDGEDDATE = 0 

ZENTITYDATE = 437137200 
ZFIRETIME = 437136300 
ZENTITYTIMEZONE = Europe/Rome 

ZEXTERNALID = 4E9 6BF04 - 97C1 - 4D43 - A63 8 - 5B4 6 58 15DA13 
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Call history 

When we push the phone application icon, we see a lot of information, almost all 
coming from one database /private/var/wireless/Library/CallHistory/call 
history.db. Here we can find tracks about incoming, outgoing and missed calls 
along with time and date they occurred and their duration. This database refers to 
both standard calls and FaceTime calls. As we can see in the following example, the 
table of interest is call: 

# is -l 

-rw-r--r-- 1 _wireless _wireless 28672 Oct 9 11:26 call_history . db 

# sqlite3 call_history.db 
SQLite version 3.7.13 

Enter ".help" for instructions 
sqlite> .mode line 
sqlite> .tables 

_SqliteDatabaseProperties call 
sqlite> SELECT * FROM call; 


ROWID 

= 

3 

address 

= 

119 

date 

= 

1411901516 

duration 

= 

174 

flags 

= 

1 

id 

= 

-1 

name 

= 


country code 

= 

230 

network code 

= 

01 

read 

= 

1 

assisted 

= 

0 

face time data 

= 


originalAddress 

= 


answered 

= 

0 


In iOS 8, the path has slightly changed to /private/var/wireless/Library/ 
Cal lHistoryDB/CallHi story . storedata. 
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Still related to the phone application, there are two other important files to 
analyze. The path, /private/var/mobile/Library/Preferences/com. apple . 
mobilephone .plist, contains DialerSavedNumber, which is the last phone number 
manually entered into the dialer and actually dialed. The important thing to note 
here is that this value will remain even if the user will delete the last call placed from 
the call history list, which will of course be also deleted from the call_history . db 
database we have just analyzed. The second file that may also be of interest during 
an investigation is /private/var/mobile/Library/Pref erences/ com. apple . 
mobilephone . speeddial . plist, which contains the phone numbers added to the 
phone favorites list. 

E-mail 

Apple Mail client-related data is stored at /private/var/mobile/Library/Mail/, 
which contains databases storing the e-mail messages sent, received, and drafted, 
which are stored on the device, as well as a folder for each separate account (POP/ 
IMAP) that has been configured within the Mail application. So, you may want to 
take a look at all the content you find in there. To give you an example, the folder 
content may look like the following command: 


# Is -1 

-rw-r--r-- 1 mobile mobile 42 Nov 9 13:07 AutoFetchEnabled 

-rw-r--r-- 1 mobile mobile 69632 Nov 8 16:15 Content\ Index 

-rw-r--r-- 1 mobile mobile 192512 Nov 8 16:15 Envelope\ Index 

-rw-r--r-- 1 mobile mobile 32768 Nov 8 16:15 Envelope\ Index-shm 

-rw-r--r-- 1 mobile mobile 1347272 Nov 9 13:08 Envelope\ Index-wal 

drwx 3 mobile mobile 136 Aug 19 15:10 IMAP- 

<account_username>\@gmail . com\@imap . gmail . com/ 

-rw-r--r-- 1 mobile mobile 395 Nov 8 16:15 

MailboxCollections .plist 

drwx 2 mobile mobile 102 Aug 19 15:11 Mailboxes/ 

-rw-r--r-- 1 mobile mobile 1638400 Sep 28 13:14 Protected\ Index 

-rw-r--r-- 1 mobile mobile 32768 Nov 8 16:15 Protected\ Index-shm 

-rw-r--r-- 1 mobile mobile 1236032 Nov 8 16:15 Protected\ Index-wal 

-rw-r--r-- 1 mobile mobile 4096 Jul 31 17:51 Recents 

-rw-r--r-- 1 mobile mobile 32768 Nov 8 16:15 Recents-shm 

-rw-r--r-- 1 mobile mobile 1256632 Nov 9 13:08 Recents-wal 

drwx 2 mobile mobile 68 Jul 28 17:11 Vault/ 

-rw-r--r-- 1 mobile mobile 333 Nov 9 13:08 metadata . plist 
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Although without any extension, most of these files are SQLite databases (as you may 
guess from the presence of the -shm and -wal files). For example, the Envelope Index 
database contains the list of mailboxes and metadata, while Protected Index database 
contains the list of the e-mails present in the Inbox, where the last is the most recent: 

# sqlite3 Protected\ Index 
SQLite version 3.7.13 
Enter ".help" for instructions 
sqlite> .mode line 
sqlite> .tables 
message data messages 
sqlite> SELECT * FROM messages; 
message_id = 9 

sender = "Facebook" <update@f acebookmail . com> 
subject = You have more friends on Facebook than you think 
_to = Demo < <account_username>@gmail . com> 


message_id = 130 

sender = "PayPal" <paypal@e . paypal . it> 
subject = Accordi legali PayPal 

_to = <account_username>@gmail . com 


Images 

User photos inside iDevice are stored at /private/var/mobile/Media/, where the 
two main folders are as follows: 

• dcim: This folder contains the user-created photos via the built-in camera 
(usually in the . j pg format) and screenshots taken by the user by pressing 
Power and Home buttons together (usually in the . png format) 

• PhotoData: This folder contains, among other data, the photo albums synced 
with a computer or the cloud 

Moreover, it is very important not to forget the thumbnails. In fact, for each photo, 
iOS will generate a thumbnail and store within /private/var/mobile/Media/ 
PhotoData / Thumbna i 1 s / and save any information about the original image in the 
Photos . sqlite database. This is important because thumbnails and information 
related to the original picture may still be available or recoverable from the SQLite 
deleted entries (see the related section later on this chapter) even in case the original 
picture is not available anymore. 
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For an in-depth analysis of this topic, we advise the 
reader to have a look at the article available at http : / / 
linuxsleuthing . blogspot .it/2013/05/ ios6- 
photo- streams -recover- deleted . html. 


Since the release of iOS 6 in 2012, Apple includes its own Maps application. Files and 
locations of interest are /private/var/mobile/Library/Pref erences/com. apple . 
Maps . plist, which contains information related to the last search that has been 
made by the user, such as longitude and latitude coordinates as well as the search 
query made, and the Maps' main folder (/private/var/mobile/Library/Maps), 
which contains the history of the of the searches made by the users as well as the list 
of locations bookmarked: 

# Is -1 


-rw-r--r-- 1 

mobile 

wheel 

4954 

Nov 

9 

14 : 05 

Bookmarks .plist 

-rw-r--r-- 1 

mobile 

wheel 

0 

Nov 

9 

14 : 02 

Bookmarks . synced 

-rw-r--r-- 1 

mobile 

mobile 

0 

Jul 

28 

17:13 

FailedSearches .mapsdata 

-rw-r--r-- 1 

mobile 

wheel 

5372 

Nov 

9 

14 : 02 

History .mapsdat a 

-rw-r--r-- 1 

mobile 

wheel 

0 

Nov 

9 

14 : 02 

History . synced 

drwxr-xr-x 3 

mobile 

mobile 

102 

Jul 

28 

17:13 

ReportAProblem/ 

-rw-r--r-- 1 

mobile 

mobile 

4867 

Nov 

9 

14 : 06 

SearchResults . dat 


Notes 

The Notes application stores information about the user created notes in the / 
private/var/mobile/Library/Notes/notes . sqlite. The main tables of interest 
are znote and znotebody; they contain note title, content, creation and modification 
date, and so on. 

# sqlite3 notes. sqlite 
SQLite version 3.7.13 
Enter ".help" for instructions 
sqlite> .mode line 
sqlite> .tables 

ZACCOUNT ZNOTE ZNOTECHANGE 

ZNEXTID ZNOTEBODY ZPROPERTY 

sqlite> SELECT * FROM ZNOTE; 


ZSTORE Z_PRIMARYKEY 

Z METADATA 
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ZCREATIONDATE = 429638384.376295 
ZMODIFICATIONDATE = 437233446.565407 
ZAUTHOR = 

ZGUID = 

ZSERVERID = 

Z SUMMARY = This is extra text of my note 
ZTITLE = ThisIsMyPasswordCopyPaste 

sqlite> SELECT * FROM ZNOTEBODY; 

Z_PK = 1 
Z_ENT = 4 
ZOPT = 2 
Z OWNER = 1 

ZCONTENT = ThisIsMyPasswordCopyPaste<divxbr></ 
divxdiv>This is extra text of my 

note</div> 


Safari 

Safari is the Apple browser that comes preinstalled with every iDevice. It allows the 
user to browse websites, save bookmarks, and so on. All these activities are stored in 
the two locations, /private/var/mobile/Library/ and the Safari main application 
folder. In particular, the folder detail is given as follows: 

• Safari Bookmarks: The information is stored at Library/Safari/ 

Bookmarks . db. It contains the database with the saved bookmarks. 

• Safari Bookmarks: The information is stored at Library/Safari/ 

Bookmarks . plist . anchor . plist. Timestamp identifies the last time Safari 
bookmarks were modified. 

• Safari Cookies: The information is stored at Library/Cookies/Cookies . 
binarycookies. Web sites cookies are stored here. 

• Safari Screenshots: The information is stored at Library/Caches/Safari/. 
This directory contains thumbnails referring to screenshots of web pages that 
have been recently visited by the user. 

• Safari Search cache: The information is stored at Library/Caches/Safari/ 
RecentSearches .plist. It contains the most recent searches that the user 
has entered into Safari's search bar. 
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• Safari search history: The information is stored at Library/Preferences/ 
com . apple . mobile safari . pi is t. It contains a list of recent searches made 
through Safari. An important thing to remember is that when the user deletes 
his/her browser cache or history, this file will not be erased. 

• Safari Suspended State: The information is stored at Library/Safari/ 
SuspendState . plist. It contains the last state of Safari at the time the 
user pressed the Home button, the iPhone was powered off, or the browser 
crashed. In order to be able to restore such state when the browser resumes, 
this file will contain the list of windows and websites that were open when 
one of the previously-mentioned events occurred and the browser closed. 

• Safari Thumbnails: The information is stored at Library/Caches/Safari/ 
Thumbnails/. This directory will contain screenshots of the last active 
browser pages viewed via WebKit, for example, by the third-party apps. 

• Safari Web Cache: The information is stored at Library/Caches/com. 
apple . mobilesaf ari/Cache . db. It contains objects that are recently 
downloaded and cached in the Safari browser. 

• Safari History: The information is stored at Library/Safari/History, 
plist. It contains the Safari web browser history. Of course, if it has been 
cleared by the user, it will not contain the history prior to that. 

SMS/iMessage 

Like for the Call History, there is one database storing SMSs, MMSs, and iMessages 
sent or received by the user. The database is at /private/var/mobile/Library/ 

SMS /sms . db, and it contains also the information related to attachments eventually 
present in MMS or iMessages. In such case, the files part of MMSs or iMessages 
are stored in the subfolder, Library/SMS/Attachments/. Finally, the last folder of 
interest regarding SMS is Library/SMS/Draf ts, where each draft contains its own 
folder as the plist file, which is time stamped identifying when the message was 
typed and then abandoned. 

Voicemail 

The Voicemail folder at /private/var/mobile/Library/ contains both the audio 
file of each voicemail recorded message stored as AMR codec audio files and the 
voicemail . db database, where are saved information related to each voicemail 
audio message file, such as the sender, the date, the duration, and so on. 
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Other iOS forensics traces 

In this section, we will list some other locations of interesting artifacts. Those listed 
here are not strictly related to a particular application but are rather generated from 
the usage of the device by the interaction of the user with the system. 

Clipboard 

The pasteboardDB file under /private /var /mobile /Library/ Caches/ com . apple . 
ulKit . pboard is a binary file that contains a cached copy of the data stored on the 
device's clipboard, which means that the data that have been cut/ copied and pasted 
by the user (that is, passwords or other portions of text that may become relevant) 
will also be present there. 

Keyboard 

Two of the iOS features are the auto correction and auto completion of the text while 
the user is typing. To do this, every time the user types, iOS caches his/her text in the 
dynamic -text .dat file. 
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This file is located at /private/var/mobile/Library/Keyboard. This is the default 
file, but of course, iOS creates one for each language used and configured in the 
keyboard and stores it in the same directory. In the following example, the second 
file is related to the Italian keyboard configuration: 

# Is -1 

drwxr-xr-x 4 mobile mobile 136 Aug 14 15:48 CoreDataUbiquitySupport/ 


-rw 1 mobile wheel 1084 Nov 9 14:44 dynamic-text.dat 

-rw 1 mobile wheel 6678 Nov 9 14:43 it_IT-dynamic-text.dat 


Location 

With iOS 4, there was the Consolidated GPS cache, a database containing location 
information associated with every Wi-Fi hotspot and cell tower that the device had 
been in range with. In such database located at /private/var/root/Library/ 
Caches/locationd/consolidated. db, the Wif iLocation and CellLocation tables 
contain information cached locally by the device and include the Wi-Fi access points 
and cellular towers that have come within range of the device at a given time and 
include a horizontal accuracy (in meters), believed to be a guestimate at the distance 
from the device. Such data, other than remaining forever in that database, were 
allegedly sent periodically to Apple. After the so-called location gate scandal that 
arose after the discovery of such database, Apple kind of dismissed it. 

However, a new database took the place of the consolidated . db, that is, /private/ 
var/root/Library/Caches/locationd/cache_encryptedA.db. As for its 
predecessor, this database contains geographical coordinates of Wi-Fi access points 
and, apparently, cell towers that have been in the range of the device. The only 
differences in this case are that this data lasts only for 8 days before being cleared 
out. In the following output, you can see the names of the tables within the database: 


$ sqlite3 cache_encryptedA.db 

SQLite version 3. 8. 4. 3 2014-04-03 16:53:12 


Enter ".help" for usage hints. 

sqlite> .tables 

AppHarvest 

AppHarvestCounts 

CdmaCellLocationHarvest 

CdmaCellLocationHarvest Counts 

CellLocation 

CellLocationBoxes 

CellLocationBoxes node 


CellLocationLocalBoxes_rowid 

CellLocationLocalCounts 

LocationHarvest 

LocationHarvestCounts 

LteCellLocationHarvest 

LteCellLocationHarvestCounts 

PassHarvest 
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CellLocationBoxes parent 

CellLocationBoxesrowid 

CellLocationCounts 

CellLocationHarvest 

CellLocationHarvestCounts 

CellLocationLocal 

CellLocationLocalBoxes 

CellLocationLocalBoxes_node 

CellLocationLocalBoxes_parent 


PassHarvestCounts 

Tablelnfo 

UnknownCellLocationHarvest 

UnknownCellLocationHarvestCounts 

Wif iLocation 

Wif iLocationCounts 

Wif iLocationHarvest 

Wif iLocationHarvestCounts 


The other very important point to keep in mind regarding the geolocation artifacts 
is that many other applications, especially third party like those about fitness that 
people may use to keep track of their path when running, may store geographical 
coordinates and related timestamps as well and in clear text. 


Snapshots 

Every time a user pushes the Home button to move from an application screen back 
to the desktop, iOS uses a fade-out effect for the transition between the two screens. 
To do so, iOS creates screenshots of the current screen and then applies the fade-out 
effect to that picture. These screenshots are stored in the following locations: 

• /private/var/mobile/Library/Caches/ Snapshots/ 

• /private /var/mobile/Applicat ions /<app_UUID> /Library/Caches/ 
Snapshots/ 

The first path refers to the pre-installed Apple applications, while the second is the 
path where to find the snapshots for each application. It is clear that this feature 
could be a goldmine of information. For example, there could be screenshots 
containing SMS or e-mail messages that are no longer available because they have 
been deleted. 

It is important to remember that only the last snapshot is 
taken for each application. Therefore, the analyst should 
interact and browse inside the device as little as possible in 
order not to overwrite and lose possible crucial evidence. 
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Spotlight 

As for the Mac OS X, Spotlight is the indexing feature or iOS that assists the user 
when searching for something like applications, SMS, contacts, notes, and so on. 
Spotlight indexes and searches are stored in /private/var/mobile/Library/ 
Spotlight/, where there are two folders, one related to the SMS searches and the 
other is the general Spotlight utility. 

Wallpaper 

Current images used as wallpaper are stored in /private/var/mobile/Library/ 
SpringBoard/. There are two different images: HomeBackgroundThumbnail . 
j pg, which refers to the wallpaper when the device is unlocked, and 
LockBackgroundThumbnail .jpg, which refers to the wallpaper of the device 
when it is locked. 

Third-party application analysis 

In the previous paragraphs, we have seen where important artifacts related to the 
iOS system settings and preferences, native iOS applications, and device features 
are located. These are locations to be aware of, and it is important to know how 
to analyze them since they are common to all iDevices. Instead, in the following 
paragraphs, we are going to show you a practical analysis of some of the most-used 
third-party applications. 

Skype 

Skype is probably the most-known and used software for VoIP and chatting. 

# tree -L 2 2C53 2 8B1 - 44B1 -44 67 -B3A4 -DEBDFBEB7 8D4/ 

2C532 8B1 - 44B1 -44 67 -B3A4 -DEBDFBEB7 8D4/ 

| Documents 

| skype-cache- 5 01 . <skype_username> . Favourites . plist 

| skype-cache- 5 01 . <skype_username> . chat- 94 6 . plist 

| skype-cache- 5 01 . <skype_username> . chat-meta-data- 94 6 . plist 

| skype-cache- 5 01 . <skype_username> . contacts . plist 

1 skype-cache- 5 01 . <skype_username> . conversations .plist 

| Library 

| Application Support 

| Caches 

| Cookies 
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Preferences 


| Skype . app 


| StoreKit 


receipt 


Starting from the Preferences folder, we can find the first important information 
inside the com. skype . skype .plist file: the username, as shown in the following 
screenshot: 


WebKitOfflineWebApplicationCacheEnabled 

Boolean 

YES 

WebDatabaseDirectory 

String 

/var/mobile/Applications/2C5328Bl-44Bl-4467-B3A4-DEBDEBEB78D4/Library/Caches 

lastLoggedlnSkypeName 

String 

pa| |a 

LocationManagerCountryCode 

String 

IT 


However, the preceding screenshot shows only the last username that has logged 
in. If we want to know all the profiles that have been logged in from this device, 
we have to look for other folders under Library/Application Support /Skype/, 
where we will find one folder for each account logged in with that device. 
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Inside every user folder we find all the databases storing information, such as 
contacts list, chats, and so on. Here, the structure is pretty much the same as the 
PC/desktop version. In fact, you can open the main . db file where you can find all 
information stored in clear, as you can see from the interesting names of the tables 
as follows: 


# sqlite3 main.db 

SQLite version 3. 8. 4. 3 2014-04-03 16:53:12 
Enter ".help" for usage hints. 
sqlite> .tables 

SMSes 
Transfers 
VideoMes sages 
Videos 
Voicemails 

Refer to the following screenshot: 


Accounts 

Alerts 

AppSchemaVersion 

CallMembers 

Calls 


ChatMembers 

Chats 

ContactGroups 

Contacts 

Conversations 


DbMeta 

Legacy-Messages 

MediaDocuments 

Messages 

Participants 


Table: Messages 


at I 


| Messages 


id is_pi coi chatnamc author from_dispname aut guid dial) 


id is_p< coi cha 

1 153 1 26 s.g 

2 154 

1 26 s.g 

3 155 

1 26 s.g 

4 156 

1 26 s.g 

5 158 

1 26 s.g 

6 159 

1 26 s g 

7 160 

1 26 s.g 

8 161 

1 26 s.g 

9 162 

1 26s.g 

10 163 

1 26 s.g 

11 164 

1 26 s.g 

12 165 

1 26! s.g 

13 166 

1 26 s.g 

14 167 

1 26 s.g 

IS 168 

1 26 s.g 

16 169 1 26 s.g 

17 170 1 26 s.g 


: aul 

guid dial< 

timestamp 


g$ « 

1415118269 


q$$1 

1415118285 U i 



1415118289 ^ 



1415118294 r 


~$$i 


1415118296 |1 


$>nY 


1415118296 :l : 




1415612070 



$❖74 


1415616547 



$$$ 

1415617413 



❖cm 

1415617417 


!■ 


1415617421 





1415617435 



FL"$< 


1415617453 |L: 


L$r04 

1415617461 ! 

- 


$/$t 


1415617463 [ 




1415617472 JJ 


P$$4 

1415617481 1 

k 


body_xml 
che dici, treno? 



This means that you can use any of your favorite Skype analysis utilities to parse 
these files, such as SkypeLogView from Nirsoft and so on. Finally, still within the 
application folder, you may also find the Voicemail messages, screenshots, as we 
have addressed previously in the Snapshots section, files transferred via Skype, logs, 
and so on. 
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WhatsApp 

Although it is technically an Instant Messaging application, WhatsApp has almost 
completely replaced the classical SMS. Therefore, it is very likely that you will 
encounter it during a mobile forensics analysis. Let's have a look at its internal 
directory structure that, as you may have realized, differs really very little from 
one application to the other. 

# tree -L 2 7A2F3 6A2 -7100 -482C-B2E2 -ED350D7BF0C2/ 

7A2F3 6A2 -7100-482C-B2E2 -ED3 5 0D7BF0C2 / 

| Documents 

| ChatSearch. sqlite 

| ChatStorage . sqlite 

| Colors. plist 

| Contacts . sqlite 

| | PPDB. plist 

| StatusList . plist 

| SyncHistory. plist 

| calls.backup.log 

1 calls.log 

| Library 

| Caches 

| FieldStats 

| Logs 

| Media 

| Preferences 

1 pw.dat 

| StoreKit 

1 receipt 

| WhatsApp . app 


We have now understood that to get a first hint and useful information for starting 
with an application, we may want to start looking inside the plist configuration 
file under Library/Preferences/. In this case, we are looking for net . whatsapp . 
WhatsApp . plist. Here again, you will find some basic information, such as the 
username, the phone number the WhatsApp account was linked to, and so on. 
Regarding the actual content of the messages exchanged, the main database is 
Documents/ChatStorage . sqlite, whose structure is as follows: 

$ sqlite3 ChatStorage . sqlite 

SQLite version 3. 8. 4. 3 2014-04-03 16:53:12 
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Enter ".help" for usage hints. 
sqlite> .tables 

ZWABLACKLISTITEM ZWAGROUPINFO ZWAMESSAGE ZMETADATA 

ZWACHATPROPERTIES ZWAGROUPMEMBER ZWAMESSAGE INFO Z_PRIMARYKEY 

ZWACHATSESSION ZWAMEDIAITEM ZWAMES SAGEWORD 

The table zwamessage is the one containing the messages exchanged, their 
timestamp, the name of who the user was chatting with, and so on, as shown 
in the following screenshot: 


Table: ZWAMESSAGE *| *•> 


New Record 


Delete Record 


iSA< 

ZMESSACEDATE 

ZSEOTDATE ZFROMJID ZMEI 

ZPUSHNAME 


ZSTANZAID 

ZTEXT 


ZTOJID 

1 

429476024.647006 




140 

Pro' 


39329 

2 

429476038.539024 




140 
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Ri< 


ssi 

140 

Nor 
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39329 


Rit 


SSI 

140 
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po 


5 

429575262.41247 





140 

Proj 


39349 
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429716264.971918 





140 
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429716349.770499 





140 

Aril 


39349 
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429716405.619276 
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Hit 
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Pas 
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11 
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44797 
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141 

DPI 
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An 



141 

Hit 
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433081856 
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Ca 
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141 
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gro 
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Ca 


:e 

141 

Hi J 



16 

433350110.17942 
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Hi \ 


44797 

17 
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44797 


Ga 


:e 

141 

Hey 



18 

433351717.501071 

433351717} 
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Can 
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141 
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itti 
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Ciai 




The zwachatsession table stores information about the open chats, both with 
a single user or group chats, and you can correlate these data with those in the 
zwagroupmember and zwagroupinfo tables in order to find out which users belong 
to which group chat. Finally, in the zwamediaitem are stored references to the 
multimedia files (pictures, audio messages, and videos) exchanged, indication of 
the user involved, timestamps, and the location where the multimedia file has been 
stored within iDevice. 
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Table: docs_content ; 1 1 ^ 


New Record Delete Record 


docid 
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dchatSession 
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However you will also find the chat contents inside Documents/ChatSearch . sqlite 
within the docs_content tables, as shown in the preceding screenshot. 


Facebook 

Facebook is the most known and widely used social network. For this reason, other 
than for the fact that it is now integrated with iOS, you will most likely have to 
analyze the Facebook app in almost all of your investigations. As you can imagine, 
the amount of information stored by Facebook is very high, and in particular, it 
concerns three areas: user personal information, a cache of images related to profiles 
and visited pages, and information related to the external sites visited within the 
Facebook app through the links present on the posts. Due to the obvious big amount 
of possible information retrievable in the Facebook app and the page limitation of 
a book, the goal of this section is to give you a glimpse and some hints on possible 
artifacts and where to find them. 

The account information is saved inside Library/Preferences/com. facebook . 
plist. Among other information, you will find the e-mail address and the Facebook 
ID of the profile configured within the app, as well as the date of the last time the 
app has been used. 
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Information related to contacts is saved in Library/Caches/FbStore . db, while 
the related profile pictures (the JPG file) are saved in the Library/Caches/ 
ImageCache/ folder. 

In Library/ Caches/_store_<APP_ID>/ <iOSVersion>_< language >/FBDiskCache/ 
are stored images viewed while surfing through the pages of the social network 
(for example, posts of other users and so on), while inside the database. Library/ 
Caches/ com . f acebook . Facebook/Cache . db, and Library/ Caches/ com . f acebook . 
Facebook/f sCachedData/ are stored contents of other websites visited, including 
the related URL and corresponding files (for example, the JPG image, the HTML 
page, the CSS stylesheet, and so on.) 

When the user watches a video within the social network, such information is 
stored in the database, Library/Cache/ com. f acebook . Facebook/var/mobile/ 
Applications/ . . . /video_url_cache/Cache . db and inside Library/Cache/ 
com. facebook. Facebook/var/mobile/Applications/ . . . /video_url_cache/ 
f sCachedData/. 

Cloud storage applications 

Cloud storage applications have become very popular on mobile devices, since the 
Cloud somewhat extends the device storage capability and allows the user to have 
access to his/her data anywhere and anytime. Therefore, it is very probable that you 
will encounter at least one on this class of apps during your analysis. In this section, 
we just want to give you a glimpse of some artifacts you can find in two of the most 
popular cloud storage services. 

Dropbox 

The Dropbox iOS app is stored under /private/var/mobile/ 

Applications / 4BD8 0D3B- 7ADA-4 171 -B2A0 - 8A53 4F054 0 8D/ and it contains four 
subfolders: Cookies, DropboxPrivate, Preferences, and Cache. 

The Cache folder contains a local copy of the opened files, but it is available only if we 
can perform a physical acquisition (not logical/backup acquisition). The Preferences 
folder contains a file named com. getdropbox. Dropbox. pi ist with user information 
(name and surname) and user e-mail. 

The following screenshot shows application structure and the user information in the 
plist file: 
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$ © 4 B D80 D3B -7 ADA-4171- B2A0 -8 A534 F05408 D 
R-tt? Library 
Eh© Cookies 

1 Q) Cookies.binarycookies 

DropboxPrivate 

* Qj asset_hashes.db 

E© Preferences 

Q com.getdropbox.Dropbox.plist 


tacieuictionary . . w . 
llVNSNull . . 45~. . A | — 


. a^yi . z=vhshu 


w 


Slattia Epifani.. 
. .http : / /db. tt/wUMHOdqh. . . . 
. .mattia.epifani@realitynet 


j. .45. . .RIT.89. . . 

n A nPYS f-Tt € r\ 


'DBXAccountI 


Google Drive 

The Google Drive iOS App is stored in /private/var/mobile/ 

Applications/ 8F139264-9142-4B84 -A7C3 -42 1ADD6BA05F/, and it Contains 
two subfolders: Documents and Library, which in turns has the folders Cookies, 
Preferences, and Caches. The Preferences folder contains a file named com. 
google .Drive .pi i st with user information (name and surname), user ID, and user 
e-mail, as shown in the following screenshot: 


B® 8F1 39264-9142-4 B84-A7C3-421ADD6BA05F 
Documents 

B |© epifunky@gmail.com 

i Q] uploadsave.dat 

Q| comments_snapshot_(nulQ.db 
Q) comments_snapshot_eprfunky@gmail.cc 
Q] contacts_snapshot_epifunky@gmail.con' 
Q] feed_snapshot_(null).db 

Ql feed_snapshot_epifunky@gmail.com.db 

A items_snapshot_(null).db 
Q| items_snapshot_eprfunky@gmail,com.dl 
a-® Library 
B-© Cookies 

! Cookies.binarycookies 

0"© Preferences 

; Q) com.google.Drive.plist 
: Q googleanalytics-v2.sql 


" 

< k e y > a i gn e d_ in_u a e r _ e ma i 1 < / k e y > 
<3tring>epifunky@gmail . com</3tring> 

< k e y >U3 e r_da t a_map< / ke y> 

<dict> 

<key>epifunky@gmail . com</key> 

<dict> 

<key>u3er_id</key> 

<3tring>106279378770606320231</3tring> 
j <key>u3er_name</key> 

<3tring>Matt:ia Epifani</3tring> 


The Caches folder contains the cached copy of the opened files, but it can he extracted only 
if we can perform a physical dump. 
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The Documents folder contains three interesting SQLite databases: Contact s_ 
snapshot_useremail . db, Feed_snapshot_useremail . db, and Items_snapshot_ 
useremail . db. 

The Contacts db contains the user's e-mail ID, name, and shared files. The Items 
db contains all the information about files stored in the user drive: 

• Identifier 

• Title 

• Kind 

• MD5 hash 

• Last Modified By (username) 

• Last Modified Date 

• Last Viewed Date 

• Shared With Me Date 

• Last Modified by Me Date 

The following screenshot shows the Items db content analyzed with SQLite Expert 
for Windows: 


Electronic Evidence Guide 


I miei file 

Electronic Evidence Guide-xlsx 
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kind 


spreadsheet 
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[folder <null> 
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<null> 
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<null> 

<null> 

<null> 

< null > 

<null> 

<null> 
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eprfunky 

1371543822 

<null> 

<null> 

1371543821 

<null> 

epifunky 

1290425344 

1347934116 

<null> 

1290425344 
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Deleted data recovery 

In this section, we will give you a quick overview on the difficulties of performing 
file carving operations on an iOS device and will try to understand why and what 
are the possibilities. We will also see the particular case of recovering the SQLite 
deleted records. 

File carving - is it feasible? 

Apple uses a technology called Data Protection in order to further protect data 
stored in flash memory on iDevices. Every time a file is created, a new 256-bit 
per-file key is generated and it is used to encrypt the file content using AES 
encryption. The per-file key is then wrapped with one of the data protection class 
keys and then stored in the file's metadata, which are in turn encrypted with the file 
system key (the EMF key), which is generated from the unique hardware UID. The 
following diagram, which is taken directly from the Apple iOS Security official paper 
of October 2014 (see Appendix A, References), summarizes the entire process: 


Hardware Key 


Passcode Key 



File System Key 

i a a 

File Contents 


File Metadata 


File Key 


With this premise, it is clear that the classic file carving procedure will not work, 
since in the unallocated space there will only be encrypted content. An interesting 
approach on how to carve deleted images from the iOS devices has been published 
by D'Orazio et al. (see Appendix A, References). What they suggest is to exploit the 
journaling feature of the iOS file system, HFS+. In fact, by analyzing and comparing 
both the catalog file and the journal file of the HFS+ file system, it could be possible 
to identify information about deleted files, such as file and metadata location, their 
timestamp, and so on. Based on this information from the journal, the analyst should 
be able to search and recover the deleted files, locate the cryptography keys, and 
then decrypt the image file. Heather Mahalik (@HeatherMahalik on Twitter) also 
describes a similar approach in her book. Practical Mobile Forensics, Heather Mahalik, 
Packt Publishing. Of course, such approaches require physical acquisition to be 
possible for the target device. 
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However, that approach may work only if the device has not been restored, wiped, 
or upgraded to a new OS version, because in such cases, the file system key (EMF) 
would be erased and a new key recreated. Therefore, without the original EMF 
key, all contents in the unallocated space referring to a period prior the restoring/ 
wiping/ upgrading is gone forever. 

Carving SQLite deleted records 

We will not go into the details of the SQLite structure (for more information, see 
Appendix A, References), since it is out of the scope of this book. However, it is important 
for you to know that other than deleted files, it is also possible to recover deleted 
records within the SQLite databases. Mari DeGrazia (@maridegrazia on Twitter) has 
developed a useful Python script that parses the database file and carves out deleted 
entries. Its usage is as simple as running a single-line command as follows: 

$ python sqlparse.py -f mmssms.db -r -o report.txt 

You can find it on her website and GitHub repository; she has also provided a GUI 
version of the tool (see Appendix A, References, and Appendix B, Tools for iOS Forensics). 
Moreover, it is always useful to run a strings command on the database file as well. 
You may be able to recover portion of deleted entries content that may have been 
missed by the tools. 

Case study - iOS analysis with Oxygen 
Forensics Suite 2014 

The acquisition of an iPhone made with Oxygen Forensics Suite 2014 can be 
analyzed directly within the same tool. In fact, during the acquisition, all the files 
are parsed by the software, which offers the user a complete GUI to access and 
search for information in the data. The following screenshot used to show the 
different functionalities of the software, refers to a logical classic type of acquisition 
from an iPhone 4s with iOS 7.1.1. Some descriptions of the features of Oxygen 
Forensics Suite 2014 have been taken directly from the vendor website, 
http : //www . oxygen- forensic . com. 
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The screen shown in the following screenshot summarizes the main information 
related to the acquired device: model, operating system version, serial number, 
acquisition type, extraction date, investigator name, case number, and evidence 
number. 


Apple iPhone 4S 



Add photo 


Alias 
Retail Name 
Internal Name 
Platform 
IMEI 

Software Revision 
Boot loader 
Acquisition type 
Extracted by version 
Extraction started 


Apple iPhone 4S 
Apple iPhone 4S 
iPhone4, 1 
iOS 

013180000237540 
7. 1.1 

iBoot-1940.10,58 
Classic logical 
N/A 

28/10/2014 18:03:49 


Moreover there are also present two separate areas: the first one refers to Common 
sections, that is the information related to native applications and to the grouping 
functionalities offered by the software; the second one refers to the activities of the 
main applications installed on the device by the user. 
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The analysis of native applications lets the analyst recover much information, such as 
the phonebook with assigned photos, calendar events and notes, call log (facetime, 
dialed, received, and missed calls), messages (SMS/MMS and iMessages), and 
voicemail. The following screenshot shows an example of a call history: 


ed devices ► ^ Apple iPhone 4S - 28/10/2014 18:03:49 [013180000237540] ► Q Event Log 
> Print - Set time zones Reset Filters =i Columns ^ Help 

« Full Event Log [f 1 - Answered calls Missed calls Dialed calls • Facetime 


«s 

*• % - a 

- Type *• Contact name 

Remote party 

▼ Time stamp (Devi ... T 

- Call duration 

Country code 

ffl 

mu 

ha Voice 

+3933* 

28/10/2014 15:51:09 


222 

m 

© 

13 Voice 

+3933* 

28/10/2014 15:50:51 


222 

m 

• 

ha Voice 

+3933$ 

28/10/2014 13:30:29 

00:00:10 

222 

@ 

© 

ha Voice 

+390Z 

28/10/2014 13:10:25 

00:02:29 

222 

m 

• 

K3 Voice 

+390 1( 

28/10/2014 12:35:25 

00:16:27 

222 

m 

© 

ia Voice 

+3932$ 

28/10/2014 10:09:00 


222 

m 

© 

13 Voice 

+3933$ 

27/10/2014 19:28:25 

00:03: 19 

222 

m 

© 

13 Voice 

+3901$ 

27/10/2014 19:27:53 


222 

m 

© 

13 Voice 

+3932$ 

27/10/2014 16:48:55 

00:02:47 

222 

m 

© 

ha Voice 

+3932$ 

27/10/2014 16:48:43 


222 


Moreover, with Oxygen Forensics Suite 2014, it is possible to recover information 
related to Wi-Fi access points, IP connections, and locations. The following 
screenshot shows the detail of Wi-Fi networks stored in the device under analysis. 
For each network, the SSID, MAC address of the router/ access point, and the 
connection timestamps (last joined time and last auto joined time) are listed. From 
websites such as www . wigle . net, it is possible to trace the MAC addresses and find 
the physical position of where the device was. 



inflections and Location Services 



▼ 

ng criteria ... 

Print * Set time zones <£***’ Show map L_.,^ Export to Google Earth 

Geo data server 

H13 Averaging mode •» ^ 

! «f» WiFi connections IP connections 



Q Autosize colun 

E SSID 

BSSID 

RSSI Cm dBm) 

Channel 

Last joined time ▼ 

1 I!) <•) Courtyard_CONF 

38:ea:a7:7f:be:10 

-76 

1 

04/04/2014 11:46:38 

[7] §> Courtyard J.OBBY 

c8:cb:b8:a2:4a:ft) 

-42 

1 

01/04/2014 13:31:27 

[7] $ FON_net 

00: 18:84: 14:4f:09 

-78 

2 

31/03/2014 19:36:11 
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Regarding the analysis of the applications installed by the user, the software extracts 
and interprets both databases and configuration files (usually in the plist format) 
for the most common applications present on the Apple Store. These applications are 
split in the following categories: 

• Messengers: Facebook, Skype, WhatsApp, Viber, Telegram, Facebook 
Messenger, Yahoo, Google Hangouts, KiK Messenger, QQ, testPlus, Line, 
and so on 

• Navigations: Google Maps, Apple Maps, Waze, and so on 

• Browser: Safari, Google Chrome, and so on 

• Social networks: Facebook, Linkedln, Twitter, Instagram, Vkontakte, 
and so on 

• Travel: Booking, SkyScanner, and so on 

• Productivity business: Google Drive, Dropbox, and iBooks 

The following screenshot shows an example of WhatsApp analysis: 


>le iPhone 45 - 28/10/2014 18:03:49 [0131800002375-10] ► its) Messengers ► © WhatsApp Messenger 
>w viewer ^ Reset Filters 0 Help 

(121383) Application files (2705) Application information (89) 

oard ▼ b Show thumbnails JMj Show Map ▼ * 5 * Export to Google Earth + > Autosize 


Direction Remote party 

Remote party name 

Text 

Time stamp (UTC) ▼ 

© 



28/10/2014 16:39:31 

© 



28/10/2014 16:37:53 

© 



28/10/2014 16:24:29 

© 



28/10/2014 16:24:26 

© 



28/10/2014 16:24: 14 

© 



28/10/2014 16:24:02 

© 



28/10/2014 16:22:03 

© 



28/10/2014 16:21:59 

© 



28/10/2014 16:21:57 
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Finally, the software offers advanced functionalities for cross-searching data 
as follows: 

• Aggregated Contacts: This section analyzes the contacts from multiple 
sources such as the Phonebook, Messages, Event Log, Skype, chat, and 
messaging applications in Aggregated Contacts. This section automatically 
reveals the same people in different sources and groups them in one 
meta-contact. 

• Dictionaries: This section shows all the words ever entered in device 
messages, notes, and calendar. 

• Links and Stats: This section reveals social connections between users of 
mobile devices under investigation and their contacts. The Links and Stats 
section provides a tool to explore social connections between device users by 
analyzing calls, text, multimedia and e-mail messages, and Skype activities. 

• Timeline: This section organizes all calls, messages, calendar events, geo 
data and other activities in chronological way, so the analyst can follow the 
conversation history without the need to switch between different sections. 

• Social Graph: This section is a workplace that allows the analyst to 
review connections between mobile device owners and their contacts, 
pinpoint connections between multiple device owners, and detect their 
common contacts. 

Other than the automated analysis, it offers also the ability to navigate inside the file 
system and view all the different file types (documents, images, videos, and audio). 
There are also two embedded tools to view SQLite databases and plist files. The 
first one also offers the possibility to recover the deleted records from databases, 
giving therefore the possibility to retrieve calls, messages, photo thumbnails, contact 
photos, applications databases, and so on. 

The use of this software has resulted to be very easy, also for the user not having 
high technical skills. It allows performing searches of keywords in a very intuitive 
way, also applying filters on every field of the application analyzed. Linally, it allows 
also exporting findings and it automatically generates a report in different formats 
(Word, Excel, PDL, HTML, and so on). 

A detailed list of the feature available for the iOS devices can be found at 

http : //www . oxygen- forensic . com/ en/ features /analyst /applications and at 

http : //www . oxygen- forensic . com/ en/ compare/devices/ software- for -iphone. 
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Summary 

In this chapter, we showed how to approach the analysis of both native iOS 
applications that come with every iOS device, as well as third-party applications. 

We saw some of the most common applications, but the approach is the same for any 
other. It became also clear the importance of being able to parse the plist files and 
SQLite databases, and to carve out deleted records from latter, since these are the 
two main data structures an analyst will have to deal with in every analysis. Last but 
not least, this chapter provides you with a good amount of locations of interesting 
forensics artifacts, as well as of tools to analyze them. Remember that in-depth 
analysis, references, and tools are available at Appendix A, References, and Appendix 
B, Tools for iOS Forensics, while in Appendix C, iOS 8 - Wlwt it Changes for Forensic 
Investigators, you will find references to what has changed with the new iOS 8. 

In Chapter 5, Evidence Acquisition and Analysis from iTunes Backup, we will see how to 
acquire and analyze forensics evidences in the case of an iTunes Backup. 

Self-test questions 

1. In which iOS folder is most of the information of interest saved? 

1. /private/var/mobile 

2. /Users/mobile 

3. /private/var/user/mobile 

4. /private/user/mobile 

2. Which is the timestamp convention used in iOS? 

1. UNIX Epoch Time 

2. Apple Time 

3. Windows Time 

4. MAC Absolute Time 

3. What does the file com.apple.mobile.installation.plist contain? 

1. Last store search 

2. IP networking information 

3. List of installed applications 

4. Password saved in the iDevice 
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4. In which file is the information related to the SIM card used in the iDevice 
stored? 

1. ClearedSections .plist 

2. com. apple . network . identification .plist 

3. com. apple . commcenter .plist 

4. com. apple . springboard . plist 

5. What is the name of the database containing the user address book? 

1. AddressBook . db 

2. AddressBook . sqlitedb 

3. AddressBook . sqlite 

4. AB . db 

6. In which folder is the call history saved? 

1. /private/var/CallHistory 

2. /private/var/wireless/Library/ CallHistory/ 

3. /private /var/Library/CallHi story/wireless 

4. /private/var/Library/CallHi story/ 

7. What kind of file is used to store Safari browsing history? 

1. SQLite 

2. Txt 

3. Plist 

4. HTML 

8. How is the file containing the keyboard cache used for auto correction and 
auto completion called? 

1. UserDictionary.txt 

2. Dict.dat 

3. Dynamic-Text.dat 

4. Text . dat 
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Evidence Acquisition and 
Analysis from iTunes Backup 

The goal of this chapter is to introduce you to the different types of backups 
(encrypted or unencrypted) to the structure of a backup, to the techniques and 
software available to extract meaningful data from it, and to show you how to crack 
an encrypted backup while extracting the password saved into it. These concepts are 
really useful because sometimes the analyst doesn't have the iOS device or cannot 
access it, but he may have access to a computer containing an iTunes backup. 


iTunes backup 

The Apple iTunes software allows the user to create two different types of backup of 
their iOS devices: encrypted and unencrypted. An unencrypted backup is completely 
accessible, while an encrypted one is protected with a password chosen by the owner 
of the device. The first time that user sets a password for the backup, this is saved 
inside iDevice, and every subsequent backup is encrypted with the same password 
(until the user decides to change it). For this reason, if a password has already been 
set when performing a forensic acquisition, we would get an encrypted backup 
(see Chapter 3, Evidence acquisition from iDevices, for the different techniques used to 
acquire a device with a backup password set). 
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iTunes backup folders 

The folder where the backup data is stored depends on your computer's operating 
system. iTunes saves the backup files in these folders: 

• Mac: -/Library/Application Support/MobileSync/Backup/ 

• Windows XP: \Documents and Settings\ (username) \Application 
Data\Apple Computer \MobileSync\Backup\ 

• Windows Vista, Windows 7, and Windows 8: \Users\ (username) \ 
AppData\Roaming\Apple Computer\MobileSync\Backup\ 

Inside these folders, there is a subfolder for each iDevice that has backup with the 
same computer. The name of the subfolder is equivalent to the UDID of the device, 
which is a 40 character long hexadecimal string. This means that iTunes holds only 
one backup for each device and copies only the files that have been modified since 
the last backup. When a device is updated to a new OS version and then restored, 
the last backup created before the update is not overwritten the first time you create 
a new backup. In particular, the old backup folder is renamed by appending the 
timestamp of the backup at the end of the folder name. 

iTunes backup content 

According to Apple specifications (see the article available at http : / /support . 
apple . com/kb/ht4 94 6, as mentioned in Appendix A, References) inside a backup, we 
can find the following contents: 

• Camera Roll (photos, screenshots, images saved, and videos taken) 

For devices without a camera. Camera Roll is called Saved Photos 

• Contacts and Contact Favorites 

• Calendar accounts and subscribed calendars 

• Calendar events 

• Safari bookmarks, cookies, history, offline data, and currently open pages 

• Autofill for webpages 

• Offline web app cache/ database 

• Notes 

• Mail accounts (mail messages aren't backed up) 

• Microsoft Exchange account configurations 

• Call history 
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Messages (iMessage and carrier SMS or MMS pictures and videos) 
Voicemail token 
Voice memos 
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• Network settings (saved Wi-Fi hotspots, VPN settings, and network 
preferences) 

• Keychain (includes e-mail account passwords, Wi-Fi passwords, and 
passwords you enter into websites and some apps) 

• App Store app data (except the app itself, its tmp, and the Caches folder) 

• App settings, preferences, and data, including documents 

• In-app purchases 

• Game Center account 

• Wallpapers 

• Location service preferences for apps and websites you've allowed to use 
your location 

• Home screen arrangement 

• Installed profiles 

• Map bookmarks, recent searches, and the current location displayed in Maps 

• Nike + iPod saved workouts and settings 

• Paired Bluetooth devices 

• Keyboard shortcuts and saved suggestion corrections 

• Trusted hosts that have certificates and can't be verified 

• Web clips 

One of the main differences between an unencrypted backup and an encrypted 
one is related to the Keychain file. Inside an unencrypted backup, this file is saved 
encrypted with a key that depends on the device's UID, and therefore, cannot 
be cracked offline neither reactivated on a different device from the one used to 
generate the backup. Instead in an encrypted backup, the Keychain file is encrypted 
with the backup password. This can be technically explained as follows: 

• If the device does not have a backup password set by the user, when 
performing the acquisition, it is possible to create an encrypted backup choosing a 
known password, and later being able to access the passwords saved in the keychain 
without the need of cracking anything 
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• If the device has a backup password set by the user, when performing the 
acquisition, it is possible to create an encrypted backup, and then trying to 
crack the password in order to extract those saved in the keychain 

In particular, the Keychain file contains the following types of password: 

• Passwords of the Wi-Fi networks the device has been connected to 

• Passwords of the e-mail accounts configured in Apple Mail 

• VPN credentials 

• Credentials of all third-party apps that use keychain as the 
password container 

iTunes backup structure 

In a backup folder, there are some standard files with fixed names and contents and 
hundreds of files with long hashed filenames consisting of 40 hex characters. The file 
name acts like a unique identifier for every file copied from iDevice. In fact, each file 
is named as the result of a SHA-1 hash calculated on the original full name of the file 
in the following form: 

Domain- [subdomain-] fullpath/f ilename . ext 
Consider the following example: 

AppDomain-com. skype . skype- Library/ Preferences /com. skype . skype . plist 

Here, AppDomain is the name of domain. Com . skype . skype is the subdomain, and 
Library/Preferences/com. skype . skype .plist is the path and the name of file. 

Calculating SHA-1 hash for AppDomain-com. skype . skype-Library/Pref erences/ 
com. skype . skype .plist gives US bc0el35blc68521fa4710e3edadd6e74364f c50a. 

This is actually the 40 character long string we're talking about in the context. 

The meaning of the elements named domain and subdomain is explained later in 
this chapter. 
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Standard backup files 

These files are created by the backup service and store information about the backup 
itself. The most useful files are as follows: 

• info . plist: This file is a plist file in plain text and stores data about the 
backed up device (such as date of backup creation, phone number, device 
name, GUID, ICCID, IMEI, product type, iOS version, serial numbers, UDID, 
and so on) and the iTunes software used to create the backup (iTunes version 
number and iTunes settings). 


- Root 

diet 


Backup Path 

string 

C:\Users\Mattia.Mattia-PC\AppData\Roaming\Apple ( 

Build Version 

string 

11D167 

Contains Application Data 

boolean 

true 

Device Name 

string 

EpiPhone 

Display Name 

string 

EpiPhone 

GUID 

string 

7 C F569633 A914265 E62A165 A10EA82F2 

ICCID 

string 

8939992280168824935 

IMEI 

string 

013180000237540 

h © Installed Applications 

array 


Is Encrypted 

boolean 

false 

Last Backup Date 

date 

2014-06-22T14:30:20Z 

Phone Number 

string 

*39 334 2340899 

Product Name 

string 

iPhone4S 

Product Type 

string 

iPhone4,l 

Product Version 

string 

7.1.1 

Serial Number 

string 

DNRJ9Z9SDTC0 

Source Identifier 

string 

26ccdbcb74b2ab8e9e97aa096883al0442c6f2ef 

Target Identifier 

string 

26ccdbcb74b2ab8e9e97aa096883al0442c6f2ef 

Target Type 

string 

Device 

Unique Identifier 

string 

26CCDBCB7482AB8E9E97AA096883A10442C6F2EF 

iBooks Data 2 

data 


i © iTunes Files 

diet 


p © iTunes Settings 

diet 


iTunes Version 

string 

11.1.5 
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• Manifest . plist: This file is a plist file and it describes the content of the 
backup. Inside this file, we can find the list of applications installed on the 
backed up device. For every application, there is the name and the particular 
version. Inside the file, there is also the date the backup was made, the 
backup type (encrypted versus unencrypted), and some information about 
iDevice and the iTunes software used. 


- Root 

diet 



© Applications 

diet 



BackupKeyBag 

data 



Date 

date 

2014-06*22T14:27:15Z 


IsEncrypted 

boolean 

false 


0 Lockdown 

diet 



BuildVersion 

string 

11D201 


\ DeviceName 

string 

EpiPhone 


ProductType 

string 

iPhone4,l 


ProductVersion 

string 

7.1.1 


SerialNumber 

string 

DNRJ9Z9SDTC0 


UniqueDevicelD 

string 

26ccdbcb74b2ab8e9e97a a09688 3 al 0442 c6f 2 ef 


; B com.apple.Accessibility 

diet 



com.apple.MobileDeviceCrashCopy 

diet 



com.apple.TerminalFlashr 

diet 



i © com.apple.mobile.data_sync 

diet 



com. apple.mobile.iTunes. accessories 

diet 



1 © com.apple.mobile.wirelessjockdown 

diet 



SystemDomainsVersion 

string 

20.0 


Version 

string 

9.1 


WasPasscodeSet 

boolean 

true 


• Status . plist: This file is a plist file in the binary format, and it stores 
information about the status of completion of the backup, whether the 
backup was made successfully or not. 

• Manifest . mbdb: This file is a binary file that stores the descriptions of all the 
other files in the backup directory. It contains a record for each element in 
the backup (comprising symbolic link and directories, which of course don't 
have a corresponding element among the backup files). Each record contains 
the following parameters: 

° Domain: This parameter shows the domain the element belongs 
to. Domains are a way to functionally categorize elements in the 
device backup. 

0 Path: This parameter shows the full path of the element. 

0 Link Target: This parameter shows the target of the element if the 
element itself is a symbolic link. 
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° User ID and Group ID 

0 m. time: This parameter shows the time (in the Unix time format) 
when the actual content of the file was last modified. 

0 a. time: This parameter shows the time when the file was 
last accessed. 

° c. time: This parameter shows the time when changes were last made 
to the file or to the directory's node. 

0 File size: This parameter shows the size of the file in bytes. 

0 Unix file permissions 

° File hash 


A really interesting thing to note from a forensics point of view is that these four files 
are stored unencrypted also if the backup is encrypted with password. It means that the 
information contained there is accessible also without cracking the password. For a 
detailed explanation of the analysis of an encrypted backup, we suggest the reading 
of the research made by Hal Pomeranz (see Appendix A, References). The preceding 
parameters are explained in the following diagram: 


uint8 


uint8[6] 


"mbdb\5\0" 


Header 

Record 

Record 

Record 





string 

string 

string 

string 

string 

Domain 

Path 

Link Target 

Data Hash 

unknown 

uintl 6 

uint32 

uint32 

uint32 

uint32 

Perm. 

unknown 

unknown 

User ID 

Group ID 

uint32 

uint32 

uint32 

uint64 

uint8 

m. time 

a. time 

c. time 

File size 

Flag 


Property count 

Property 

Property 





string 

string 



► 

Name 

Value 
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The first level of the hierarchy of the backup files is their domain. The domain for 
each file is written in its corresponding record in the Manifest . mbdb file. Each file 
has a domain name chosen from the following list: 

• App domain: This domain contains data related to the installed apps 

• Camera Roll domain: This domain contains multimedia elements related 
to the Camera application, such as images, videos, video previews, and 
image thumbnails 

• Home domain: This domain contains data related to the standard application 
that comes preinstalled with iOS 

• Keychain domain: This domain contains encrypted data related to the 
keychain 

• Managed Preferences domain 

• Media domain: This domain contains multimedia elements not related 
to the Camera application, such as multimedia elements from MMSs and 
audio recordings 

• Mobile Device domain: This domain contains the provisioning profiles 

• Root domain: This domain contains cache data related to the geolocation 
capabilities of the device 

• System Preferences domain: This domain contains configuration files for 
core components of iOS 

• Wireless domain: This domain contains data about the mobile phone 
component of the device 

Elements in the App domain are further divided in subdomains related to 
the applications they belong to, while elements in the other domains don't use 
this feature. When the subdomain is used, the domain string is written as 
<domain>-<subdomain>. Details about the backup structure are available at 
https : / / theiphonewiki . com/wiki/ITunes_Backup. 
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iTunes backup data extraction 

There are several tools available to extract data from an iTunes backup some open 
source software as well as commercial products. These tools allow you to have 
complete access to the data in case of unencrypted backup and partial access in case 
of an encrypted one (particularly, the content of the files will not be visible unless 
you know the backup password or you have been able to crack it). Among the most 
interesting and powerful tools for accessing and extracting data from backup there 
are forensic software (UFED Physical Analyzer, Oxygen Forensic® Suite , AccessData 
MPE+, EnCase, Elcomsoft Phone Viewer, and so on), commercial software for the 
data extraction (iBackup Bot, iPhone Backup Extractor, DiskAid, Wondershare Dr. 
Fone, and so on), and freeware/ open source software for the data extraction (iPhone 
Backup Analyzer, iPhone Analyzer). A detailed list is provided in Appendix B, Tools 
for iOS Forensics. Another option is to recover the backup content on your own simply 
with an hex editor. In this case, we suggest you to read the article available at 
http : //resources . inf osec institute . com/ ios- 5 -backups -part -1/. 

Case study - iTunes backup analysis 
with iPBA 

iPhone Backup Analyzer is a tool developed by the Italian researcher Mario Piccinelli 
and provides a simple way to browse through the backup folder and perform a 
forensic analysis of an iDevice backup. It is released as open source software under 
the MIT license and it is written in Python, and so it should be cross platform (Mac, 
Linux, and Windows). 

The main goal behind the development is to provide a way to analyze the contents of 
the iPhone backup. It is meant to be used by anyone who wants to easily study what 
the backup contains, being a forensics expert, an iOS developer, or just an interested 
iPhone user. The software is also packed with utilities to easily browse through the 
content formatted in a ready-to-use way, such as messages, contacts. Safari bookmarks, 
and so on. Its complete feature set can be summarized in the following diagram: 


SMS / iMessage 


Call Logs 


Decode and Explore iPhone backup 

XML Plist viewer 

Binary Plist viewer 

SQLITE Browser 

Hex viewer 

Text viewer 

Image and EXIF viewer 


Skypc 


WhatsApp 


Safari History 


Safari Bookmarks 
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In a Windows environment, after downloading the tool, you need to unzip it to 
a folder and launch the executable iPBA2 . exe file. By navigating to File | Open 
Archive, you can choose the folder containing the backup. The software parses and 
analyses the backup and provides a graphical way to browse through it. 



By right clicking on a plist or SQLite file, the analyst can view the file content. 
For example, in the following screenshot, you can see the content of the 
Manifest . plist file: 
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Data 

a <dict> 
a Version 
91 

> BackupKeyBag 
a Lockdown 

> <dict> 

a WasPasscodeSet 
True 

a Applications 

> <dict> 
a IsEncrypted 

False 

a SystemDomainsVersion 
16.0 
a Date 

2013 - 04-02 07 : 35:32347069 


PH Manifest.plist - Plist Viewer 


In the following screenshot, you can see the content of a Call History SQLite database: 
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By choosing an item from the Plugins menu, you can also analyze useful information 
from the backup. Currently, the software offers 14 plugins: Address Book Browser, 
Call History, Phone Info Browser, Known Networks, Network Identification, Note 
Browser, Safari History Browser, Safari State Explorer, Safari Bookmarks, Skype 
Browser, Messages Browser, Thumbnails Browser, Viber Browser, and WhatsApp 
Browser. In the following screenshot, you can see, for example, the known Wi-Fi 
networks plugin: 


GJ Known Networks 


^~ii b m 


SSID 

NETGEAR-NEW 

UsRobotics 

swisscom 

AlbaWiFi 

Alice-83070190 

VillaFornari-camere 

WIFI-AIRPORT 

ATL-WIF1 

attwifi 

CR_Airport_Free 

CR- Airport- Free 

Cisco39989 

Corcovado 

Cerro Chato 

PensionSantaElena 

PensionSantaElena02 

Pargo-Feliz 

posada 

Campesino 

ELTUCAN 


SSID WIFI-AIRPORT 

BSSID 58:35:d9:3b: 13: 50 

Last joined 2014-05-04 14:36:34.813768 

Last auto joined 2014-05-04 14:59:14.540142 



Encrypted iTunes backup cracking 

As we explained in Chapter 3, Evidence Acquisition from iDevices, and in the first part 
of this chapter, an iTunes backup can be encrypted with a password chosen by the 
iDevice user. When you seize iDevice with a backup password already set or if 
you have a computer with a previously created encrypted backup, you can try to 
crack the backup using a dedicated tool. Currently, we were able to find only three 
software packages that can be used to crack an encrypted backup: EPPB, Passware 
Forensic, and iPhone Backup Unlocker. 


[ 130 ] 


Chapter 5 


Case study - iTunes encrypted backup 
cracking with EPPB 

As from the product website, Elcomsoft Phone Password Breaker enables forensic 
access to password-protected backups for smartphones and portable devices based 
on the Apple iOS platforms. The password recovery tool supports Apple devices 
running iOS, including iPhone, iPad, and iPod touch devices of all generations 
released to date, including the iPhone 5s and iOS 7. 

After launching the tool, the first step is to load the encrypted backup by clicking on 
the Choose source option from the main window and selecting iOS device backup, 
as shown in the following screenshot: 
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The software automatically provides a list of the encrypted backup saved in the 
folder of the user who is executing the tool. 


^ Choose iOS device backup 



Don't show this dialog again 


Choose another... I Choose 


The analyst can choose one of the proposed encrypted backups or choose another 
folder containing other encrypted backups. After selecting the backup, the tool asks 
the analyst to select the type of cracking he/ she wants to perform. You can choose 
between two options: Dictionary Attack or Brute-Force Attack, as shown in the 
following screenshot: 
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In the first case, the analyst can provide a custom dictionary file, as shown in the 
following screenshot: 



In the second case, the analyst can decide the parameters for the brute force attack, 
as follows: 



[ 133 ] 






Evidence Acquisition and Analysis from iTunes Backup 


If the cracking procedure is successful, the tool provides the password to the analyst 
and gives the options to decrypt the backup (so that it can be analyzed with one of the 
tools previously mentioned). 
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Otherwise, it is possible to show the keychain content with username and password 
for the Wi-Fi network connection, e-mail accounts configured in the Mail app, stored 
Internet passwords, and stored passwords from other apps. 
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Summary 

In this chapter, we explained the most useful information about iTunes backup 
related to the forensic analysis of an iOS device. In particular, we illustrated how 
the backup is structured and how to parse it with commercial and open source 
tools. We also explained the differences between an unencrypted and encrypted 
backup and suggested some ways to try to crack the backup password. A really 
interesting point about the iTunes backup is that if the device does not have a 
backup password already set by its owner, when preforming the acquisition, you 
can create an encrypted backup choosing a known password in order to be able to 
access the password saved in the Keychain file without the need of cracking. Instead, 
if you happen to have an encrypted backup for which you are not able to crack the 
password, it is anyway possible to analyze the plist files and the content of the 
Manifest . mbdb file recovering in this way the list of all files present inside that 
backup. In the next chapter, it will be explained how to recover data from the user 
iCloud account both having credentials or authentication token. 

Self-test questions 

1. In which folder are the iOS devices backup stored in Windows 7? 

1. C : \Users\ [username] \AppData\Roaming\Apple Computer\ 
MobileSync\Backup 

2. C:\Users\fusernamel\AppData\Local\Apple Computer\ 
MobileSync\Backup 

3. C:\Users\fusernamel\AppData\Apple Computer\MobileSync\ 
Backup 

4. C:\Program Data\Apple Computer\MobileSync\Backup 

2. Which file contains information about the backup (such as backup date, 
device name, etc.)? 

1. Manifest .plist 

2. Info. plist 

3. Status. plist 

4. Manifest .mbdb 
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3. Which file contains the description of all the files in the backup directory? 

1. Manifest . plist 

2. Info. plist 

3. Status. plist 

4. Manifest . mbdb 

4. Which backup domain contains multimedia elements related to the camera? 

1. App Domain 

2. Camera Roll Domain 

3. Media Domain 

4. Keychain Domain 
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Evidence Acquisition and 
Analysis from iCIoud 

The goal of this chapter is to introduce the cloud system provided by Apple to all its 
users through which they can save their backups and other files on remote servers. 

In the first part of the chapter, we will show you the main characteristics of such a 
service and then the techniques to create and recover a backup from iCIoud. 


iCIoud 

iCIoud is a free cloud storage and cloud computing service designed by Apple to 
replace MobileMe. The service allows users to store data (music, pictures, videos, 
and applications) on remote servers and share them on devices with iOS 5 or later 
operating systems, on Apple computers running OS X Lion or later, or on a PC with 
Windows Vista or later. Similar to its predecessor, MobileMe, iCIoud allows users 
to synchronize data between devices (e-mail, contacts, calendars, bookmarks, notes, 
reminders, iWork documents, and so on), or to make a backup of an iOS device 
(iPhone, iPad, or iPod touch) on remote servers rather than using iTunes and your 
local computer. 



Evidence Acquisition and Analysis from iCloud 


The iCloud service was announced on June 6, 2011 during the Apple Worldwide 
Developers Conference but became operational to the public from October 12, 

2011. The MobileMe service was disabled as a result on June 30, 2012 and all users 
were transferred to the new environment. In July 2013, iCloud had more than 
320 million users. Each iCloud account has 5 GB of free storage for the owners 
of iDevice with iOS 5 or later and Mac users with Lion or later. Purchases made 
through iTunes (music, apps, videos, movies, and so on) are not calculated in the 
count of the occupied space and can be stored in iCloud and downloaded on all 
devices associated with the Apple ID of the user. Moreover, the user has the option 
to purchase additional storage in denominations of 20, 200, 500, or 1,000 GB. Access 
to the iCloud service can be made through integrated applications on devices such 
as iDevice and Mac computers. Also, to synchronize data on a PC, you need to 
install the iCloud Control Panel application, which can be downloaded for free 
from the Apple website. To synchronize contacts, e-mails, and appointments in the 
calendar on the PC, the user must have Microsoft Outlook 2007 or 2010, while for the 
synchronization of bookmarks they need Internet Explorer 9 or Safari. 

iDevice backup on iCloud 

iCloud allows users to make online backups of iDevices so that they will be able 
to restore their data even on a different iDevice (for example, in case of replacement 
of devices). The choice of which backup mode to use can be done directly in the 
settings of the device or through iTunes when the device is connected to the PC or 
Mac, as follows: 


Backups 

Automatically Back Up 

Manually BackUp and Restore 

(•) iCloud 

Manually back up your iPhone to this computer or restore a 

Back up the most important data on your iPhone to 

backup stored on this computer. 

iCloud. 

Back Up Now Restore Backup... 

This computer 


A full backup of your iPhone will be stored on this 

Latest Backups: 

computer. 

10/10/2013 4:00 PM to iCloud 

Encrypt iPhone backup 

Today 6:08 PM to this computer 

This will also back up account passwords used on this 
iPhone. 


Change Password... 
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Once the user has activated the service, the device automatically backs up every time 
the following scenarios occur: 

• It is connected to the power cable 

• It is connected to a Wi-Fi network 

• Its screen is locked 


iCloud online backups are incremental through subsequent snapshots and each 
snapshot is the current status of the device at the time of its creation. The structure 
of the backup stored on iCloud is entirely analogous to that of the backup made 
with iTunes. 


iDevice backup acquisition 

Backups that are made online are, to all intents and purposes, not encrypted. 
Technically, they are encrypted, but the encryption key is stored with the encrypted 
files. This choice was made by Apple in order for users to be able to restore the 
backup on a different device than the one that created it. Currently, the acquisition 
of the iCloud backup is supported by two types of commercial software (Elcomsoft 
Phone Password Breaker (EPPB) and Wondershare Dr.Fone) and one open source 
tool (iLoot, which is available at https : / /github . com/hackappcom/iloot). The 
interesting aspect is that the same technique was used in the iCloud hack performed 
in 2014, when personal photos and videos were hacked from the respective iCloud 
services and released over the Internet (more information is available at http : / / 
en. wikipedia.org/wiki/2014_celebrity_photo_hack). Though there is no 
such strong evidence yet that describes how the hack was made, it is believed that 
Apple's Find my iPhone service was responsible for this and Apple did not implement 
any security measure to lockdown account after a particular number of wrong 
login attempts, which directly arises the possibility of exploitation (brute force, in 
this case). The tool used to brute force the iCloud password, named iBrute, is still 
available at https : / /github . com/hackappcom/ ibrute, but has not been working 
since January 2015. 

Case study - iDevice backup acquisition and 
EPPB with usernames and passwords 

As reported on the software manufacturer's website, EPPB allows the acquisition of 
data stored on a backup online. Moreover, online backups can be acquired without 
having the original iOS device in hand. All that's needed to access online backups 
stored in the cloud service are the original user's credentials, including their Apple 
ID, accompanied with the corresponding password. 
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The login credentials in iCloud can be retrieved as follows: 

• Using social engineering techniques 

• From a PC (or a Mac) on which they are stored: 

0 iTunes Password Decryptor (http : //securityxploded.com/) 

0 WebBrowserPassView (http: //www.nirsoft .net/) 

• Directly from the device (iPhone/iPad/iPod touch) by extracting the 
credentials stored in the keychain, as explained in Chapter 5, Evidence 
Acquisition and Analysis from iTunes Backup 

Once credentials have been extracted, the download of the backup is very simple. 
Follow the step-by-step instructions provided in the program by entering username 
and password in Download backup from iCloud dialog by going to Tools | Apple | 
Download backup from iCloud | Password and clicking on Sign in, as shown in the 
following screenshot: 
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At this point, the software displays a screen that shows all the backups present in the 
user account and allows you to download data. 



It is important to notice the possibility of using the following two options: 

• Restore original file names: If enabled, this option interprets the contents of 
the Manifest . mbdb file, rebuilding the backup with the same tree structure 
into domains and sub-domains, as described in Chapter 5, Evidence Acquisition 
and Analysis from iTunes Backup. If the investigator intends to carry out the 
analysis with traditional software for data extraction from backups, it is 
recommended that you disable this option because, if enabled, that software 
will no longer be able to parse the backup. 
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• Download only specific data: This option is very useful when the 

investigator needs to download only some specific information. Currently, 
the software supports Call history. Messages, Attachments, Contacts, Safari 
data, Google data. Calendar, Notes, Info & Settings, Camera Roll, Social 
Communications, and so on. In this case, the Restore original file names 
option is automatically activated and it cannot be disabled. 



Once you have chosen the destination folder for the download, the backup starts. 
The time required to download depends on the size of the storage space available to 
the user and the number of snapshots stored within that space. 
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Case study - iDevice backup acquisition and 
EPPB with authentication token 

The Forensic edition of Phone Password Breaker from Elcomsoft is a tool that gives 
a digital forensics examiner the power to obtain iCloud data without having the 
original Apple ID and password. This kind of access is made possible via the use 
of an authentication token extracted from the user's computer. These tokens can 
be obtained from any suspect's computer where iCloud Control Panel is installed. 

In order to obtain the token, the user must have been logged in to iCloud Control 
Panel on that PC at the time of acquisition, so it means that the acquisition can 
be performed only in a live environment or in a virtualized image of the suspect 
computer connected to Internet. More information about this tool is available at 
http : //www . elcomsof t . com/eppb . html. 

To extract the authentication token from the iCloud Control Panel, the analyst needs 
to use a small executable file on the machine called atex . exe. The executable file can 
be launched from an external pen drive during a live forensics activity. 
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Open Command Prompt and launch the at ex -1 command to list all the local 
iCloud users as follows: 



Then, launch atex . exe again with the getToken parameter (-t) and enter the 
username of the specific local Windows user and the password for this user's 
Windows account. 



A file called icloud_token_<timestamp> . txt will be created in the directory from 
which atex . exe was launched. 


SJ Amministratore: C:\Windows\System32\cmd.exe - atex -t mattia@Mattia-PC F0r3nslcs 



Authentication Token is successfully saved to \\?\C:\icloud_token_20140722_17365 
8.txt 

Press any key to exit... 


The file contains the Apple ID of the current iCloud Control Panel user and its 
authentication token. 
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Now that the analyst has the authentication token, they can start the EPPB software 
and navigate to Tools | Apple | Download backup from iCloud | Token and 
copy and paste the token (be careful to copy the entire second row from the . txt file 
created by the atex . exe tool) into the software and click on Sign in, as shown in the 
following screenshot. At this point, the software shows the screen for downloading 
the iCloud backups stored within the iCloud space of the user, in a similar way as 
you provide a username and password. 



The procedure for the Mac OS X version is exactly the same. Just launch the atex 
Mac version from a shell and follow the steps shown previously in the Windows 
environment: 

• sudo atex -1: This command is used to get the list of all iCloud users. 

• sudo atex -t -u <username>: This command is used to get the 
authentication token for a specific user. You will need to enter the user's 
system password when prompted. 
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Case study - iDevice backup acquisition 
with iLoot 

The same activity can be performed using the open source tool called iLoot (available at 
https : //github . com/hackappcom/iloot). It requires Python and some dependencies. 
We suggest checking out the website for the latest version and requirements. 

By accessing the help (iloot . py -h), we can see the various available options. We 
can choose the output folder if we want to download one specified snapshot, if we 
want the backup being downloaded in original iTunes format or with the Domain- 
style directories, if we want to download only specific information (for example, call 
history, SMS, photos, and so on), or only a specific domain, as follows: 



To download the backup, you just only need to insert the account credentials, as 
shown in the following screenshot: 
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At the end of the process, you will find the backup in the output folder (the default 
folder's name is /output). 


iCIoud Control Panel artifacts on the 
computer 

The installation of the iCIoud Control Panel software, other than allowing the 
recovery of the user's authentication token, as shown previously, leaves logs of 
interest within the disk of the computer. On a Windows Vista/7/8 system, the logs 
of the connections to the iCIoud service are stored inside c : \Users\<username>\ 
AppData\Roaming\Apple Computer\Logs. To locate logs of interest, it is necessary 
to search within the text file logs related to the executable icioud . exe file. The files 
are named according to a standard format that includes the date and time at which 
the service has started (for example, asl . I040l9_040ctl2 . log), thus letting the 
analyst to create a timeline of iCloud usage. 

On a Mac OS X system instead, you will find plenty of the asl logs (the Apple 
system logs), so in order to check a user's iCloud activity, you will have to parse the 
following log files: 

• /private/var/log/ asl/YYYY . MM . DD .UID . asl 

• /private/var/log/system. log 

The user information configured in the iCloud Control Panel software is stored in the 
following file: 

• Windows: C : \Users\<username>\AppData\Roaming\Apple Computer\ 
Preferences \rnobilemeaccounts .plist 

• Mac OS X Mavericks: Users/<user>/Library/Preferences/ 
MobileMeAccounts . plist 

In particular, there is the following user information in the file: 

• AccountDSiD: This key denotes user identification 

• AccountlD: This key denotes the iCloud account username 

• DisplayName: This key denotes the displayed name set by account owner 

• isPaidAccount: This key is set to True if the user has purchased additional 
services from Apple (more storage on iCloud) 
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• Loggedln: This key denotes whether the user is automatically logged in or 
not in the service 


( C:\Users\Mattia.Mattia-PC\AppData\Roaming\Apple Computer\Preferences\MobileMeAccounts... 


(S 


File Edit View Help 


□ & H X IQ B 


# 


XML View List View 


Key 

B Accounts 

l-B- 


Type 


array 
diet 

AccountDSID string 

AccountDescription string 
AccountlD string 

DisplayName string 

IsPaidAccount boolean 

Loggedln boolean 


•a Services 


•ffl diet 

-B" diet 

ffl diet 

El diet 

ffl diet 

ffl diet 

beta boolean 

primaryEmailVerified boolean 


Value 


461496998 

iCloud 

jailbreakingios@icloud.com 

Jailbreaking Test 

false 

true 


false 

true 


plist Editor Pro V 2.1 


Summary 

In this chapter, we introduced the iCloud service provided by Apple to store files 
on remote servers and backup their iDevice devices. In particular, we showed the 
techniques to download the backups stored on iCloud when you know the user 
credentials (Apple ID and password) and when you have access to a computer 
where it is installed and use the iCloud Control Panel software. In the next chapter, 
the application and malware analysis will be covered by providing an introduction 
to the tools and techniques most used for that kind of activity. 
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Self-test questions 

1. When is a new backup on iCloud automatically created? 

1. Every 5 minutes 

2. It depends on the iOS version 

3. When the device is connected to the power cable, to a Wi-Fi network 
and is locked 

4. When the device is locked 

2. Which of these tools can be used to download a backup from iCloud? 

1. iPhone Backup Analyzer 

2. iLoot 

3. UFED Physical Analyzer 

4. iOS Forensic Toolkit 

3. Which tool can be used to recover the auth token from a PC with iCloud 
Control Panel? 

1. Oauth.exe 

2. Iloot.exe 

3. Token.exe 

4. Atex.exe 

4. Where are the log files related to iCloud Control Panel stored in Windows 7? 

1. C : \Users\ [username] \AppData\Local\Apple Computer\Logs 

2. C:\Users\ [username] \AppData\Local\Apple\Logs 

3. C : \Users\ [username] \AppData\Roaming\Apple Computer\Logs 

4. C : \Users\ [username] \AppData\Roaming\Apple \Logs 
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Applications and 
Malware Analysis 


Although malware for iOS devices is not so common, it is more common when 
considering jailbroken devices. As a forensic analyst, you may be required to analyze 
a malicious application, or more in general the behavior of a suspicious application 
you have never seen before. While we are not trying to write a comprehensive guide 
to static reverse engineering iOS applications, this chapter gives an overview of how 
to analyze an application, whether it is malicious or not. In this chapter, you will first 
learn how to set up the working environment, install, and configure the basic tools 
needed for iOS application analysis. Then, we will move the application analysis 
principles, learning at which state data can exist and where to look for them. Finally, 
we will see some tools in action that can help to speed up the analysis and automate 
some tasks. 


Setting up the environment 

The first step to take in order to properly set up a testing environment for iOS 
application analysis is to jailbreak your testing device. This is because, as an analyst, 
you need to have full control of what is happening in the device, being able to access 
all kinds of information, whether they are stored, in the memory, or being sent over 
the network. 

How to jailbreak an iPhone is out of the scope of this book, so we will not go into 
details on how to do it; it is also quite simple. Just download one of the software 
options available, such as EvasiOn (advised), RedsnOw, or Pangu, and follow 
the instructions. 
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Once the device has been jailbroken and Cydia installed, you also need to install 
these tools: 

• OpenSSH: This tool will allow you to log in to your jailbroken device via 
Wi-Fi or USB and have a root shell access into it 

• MobileTerminal: This tool will allow you to run terminal commands on 
your device directly from your device, rather than logging in via ssh from 
a different system 

• BigBoss recommended tools: This package contains a series of useful 
command-line tools such as apt, make, wget, sqlite3, and so on 

Something you will always need to do when analyzing a malicious application is 
interacting with your iPhone via shell, whether to install new tools or launch specific 
commands from the shell; this is why we installed OpenSSH. The first thing you 
need to do is to change your default root password, which is alpine, in order to 
prevent someone else logging remotely into your device (and with root privileges!). 
To do this, launch the MobileTerminal application you just installed and run the 
following commands: 

# su root 
Password : 

# passwd 

Changing password for root. 

New password: 

Retype new password: 

# 

Now, there is a nice and comfortable way to connect to your iPhone via USB instead 
of being obliged to go over Wi-Fi. In your computer, edit the -/ . ssh/conf ig file by 
adding the following entry: 

Host usb 

HostName 127.0.0.1 
Port 2222 
User root 

RemoteForward 8080 127.0.0.1:8080 
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This will map the usb hostname to the ssh connection with the proper parameters 
needed. Moreover, the last row sets up port forwarding such that any connections 
to port 8080 on the iPhone will be forwarded to port 8080 locally on the laptop. 

This will be useful when you have to set up a proxy to intercept the network 
communications, as you will see later in this chapter. Now, you need something 
listening on port 2222: usbmuxd. This daemon is in charge of multiplexing 
connections over USB to the iDevice. To complete the procedure on OSX, you can 
simply use the following command: 

$ brew install usbmuxd 
$ iproxy 2222 22 
$ ssh usb 

Done! Now, you have a shell in your iPhone via USB. 

Before installing the other tools, it is a good practice to make sure the baseline is up 
to date. To do this, just execute the following command from your root shell: 

# apt-get update 

# apt -get upgrade 

The update command gets the latest packages list from the default repository, while 
the upgrade command will fetch the new versions of packages that already exist on 
the device and don't have the latest version installed using the information received 
by the update command run before. 

The class-dump-z tool 

The class-dump-z command is a command-line tool used to extract the Objective-C 
class information from the iOS applications. To install the tool, go to its official web 
page (https : / /code . google . com/p/networkpx/wiki/class_dump_z) and copy 
the link address of the last version, which currently is 0.2a. Then, using SSH, get 
into your device, fetch it with wget in a folder of your choice, and then extract it 
as follows: 

# mkdir mytools 

# cd mytools 

# wget http : //networkpx. googlecode . com/f iles/class-dump- z_0 . 2a . tar . gz 
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Once done, open the iphone_armv6 folder and copy the class-dump-z command 
executable in /usr/bin so that you will be able to run it from anywhere inside your 
iPhone. Then, just type class-dump-z to verify if it has been successfully installed 
as follows: 

# cd iphone _armv6/ 

# cp class-dump-z /usr/bin/. 

# cd - 

# class-dump-z 

Usage: class-dump-z [<options>] <filename> 
where options are: 


Analysis : 
-P 


Convert undeclared getters and setters into properties 


(propertize) . 

-h proto 
protocol . 

-h super 
-y <root> 
iPhoneOS SDK, 
-u <arch> 
armv6 , armv7 , 


Hide methods which already appears in an adopted 

Hide inherited methods. 

Choose the sysroot. Default to the path of latest 
or /. 

Choose a specific architecture in a fat binary (e.g. 
etc . ) 


However, beware that class-dump-z is not compatible with 64-bit architectures, 
which means from iPhone 5s on. In that case, you may want to have a look at the 
other tool, class-dump, available on GitHub at https : / /github . com/nygard/ 
class-dump. 


Keychain Dumper 

Another very interesting and useful tool is Keychain Dumper that, as the name 
suggests, will let you dump the contents from the keychain. Normally, the way an 
application is granted access to the keychain is specified in its entitlements, which 
defines the information that can be accessed by that application. The way this 
tool works is that the binary is signed with a self-signed certificate with wildcard 
entitlements. Hence, it is able to access all the keychain items. To install keychain 
dumper, just download the zip archive from the GitHub repo https : / /github . 
com/ptoomey3 /Keychain-Dumper and unpack it. Then, you only need to copy the 
keychain_dumper binary to the phone as follows: 

$ scp keychain dumper root@usb : / tmp/ 
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Then, make sure that keychain_dumper is executable and validate that /private/ 
var /Keychains /keychain- 2 . db is world readable. If not, you can set them as follows: 

# chmod u+x keychaindumper 

# chmod +r /private/var/Keychains/keychain-2 . db 

You should now be able to run the tool without any issues. 

# . /keychain dumper 
Generic Password 

Service: AirPort 
Account: ******** work 
Entitlement Group: apple 
Label: (null) 

Generic Field: (null) 

Keychain Data: s***iairii********** 


As you can see from the preceding output, by default, keychain_dumper only 
dumps generic and Internet passwords. However, you can also specify optional flags 
to dump additional information from the keychain, as shown from the help (-h) 
command as follows: 

# . /keychaindumper -h 

Usage: keychain_dumper [-e] | [-h] | [-agnick] 

<no flags>: Dump Password Keychain Items (Generic Password, Internet 
Passwords) 

-a: Dump All Keychain Items (Generic Passwords, Internet Passwords, 
Identities, Certificates, and Keys) 

-e: Dump Entitlements 

-g: Dump Generic Passwords 

-n: Dump Internet Passwords 

-i: Dump Identities 

-c: Dump Certificates 

-k: Dump Keys 


[ 157 ] 



Applications and Malware Analysis 


dumpDecrypted 

Executables of an application downloaded from the App Store are encrypted. The 
dumpDecrypted tool, developed by Stefan Esser (iOS hacker and author of this tool), 
runs the targeted app and dumps it decrypted from memory to disk. To install 
dumpDecrypted, download the zip archive from its GitHub page (https : //github . 
com/stef anesser/dumpdecrypted) in your Mac (it is for OSX only), unzip it, and 
compile the source file by simply typing the make command as follows: 

$ wget https : / /github . com/stef anesser/ dumpdecrypted/ archive/master . zip 
$ unzip dumpdecrypted-master.zip 
$ cd dumpdecrypted-master 
$ make 

'xcrun --sdk iphoneos --find gcc' -0s -Wimplicit -isysroot 'xcrun --sdk 
iphoneos --show-sdk-path' -F'xcrun --sdk iphoneos --show-sdk-path'/ 
System/Library/Frameworks -F'xcrun --sdk iphoneos --show-sdk-path'/ 
System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch arm64 -c 
-o dumpdecrypted . o dumpdecrypted . c 

'xcrun --sdk iphoneos --find gcc' -0s -Wimplicit -isysroot 'xcrun -- 
sdk iphoneos --show-sdk-path' -F'xcrun --sdk iphoneos - -show- sdk - 
path'/System/Library/Frameworks -F'xcrun --sdk iphoneos --show-sdk- 
path'/System/Library/PrivateFrameworks -arch armv7 -arch armv7s -arch 
arm64 -dynamiclib -o dumpdecrypted . dylib dumpdecrypted . o 

Then, simply copy the compiled file into your iPhone: 

$ scp dumpdecrypted. dylib root@usb : /usr/bin/ 

Application analysis 

When analyzing an application, you need to look at all its activities and interactions 
with the system by analyzing all the traces and artifacts left on the system while 
running and after it has run, and to/from the system, which means being able to 
understand how and whom the application communicates with by sending and 
receiving data. Therefore, you need to look at the three states where data can exist. 
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Data at rest 

With data at rest, we refer to all the data recorded on storage media, in our case, on 
the mobile device's internal memory. These are the plist files, the sqlite databases, 
logs, and any other information we can retrieve directly from the media itself. We 
will not go much into details here, since this procedure is the same as for the forensic 
analysis of a specific application that is going through the application directory tree 
structure to check its files and analyze the system logs. Refer to Chapter 4, Analyzing 
iOS Devices, for more details. 


Data in use 

Data in use is, as the name suggests, all data being currently used by the application. 
Such data resides in the memory (RAM) of the device. In a standard malware analysis 
for computer malwares, memory analysis is, whenever possible, part of the game. 
Unfortunately for iOS, but in general, for the entire mobile panorama, memory 
acquisition and analysis is not well developed yet although some utilities/ proof-of- 
concepts to dump the memory have been implemented. However, memory analysis 
and runtime manipulation/ abuse are out of the scope of this book, but you can try 
yourself and refer to readmem (https : //github . com/gdbinit/readmem), memscan 
(https : //hexplo . it/introducing-memscan/), or a tutorial online (https : / /blog . 
netspi . com/ ios -tutorial -dumping- the -application- heap -from- memory/) 
to learn about memory analysis, and Hacking and Securing iOS Applications, Jonathan 
Zdziarski, O'Reilly Media, to learn about runtime manipulation/ abuse. 


Data in transit 

Data in transit refers to any information that is being transferred between two nodes 
in a network, which is in our case all data sent and received by the target application. 
Being able to observe and manipulate data sent over the network by an application 
is extremely interesting and useful for behavioral/ dynamic analysis in case of a 
suspicious app. 



Before starting, remember to isolate the device from the 
networks (all of them), especially if you are analyzing a 
malicious application. Therefore, create an ad-hoc wireless 
network that is isolated (not connected to the Internet or to 
your internal network), then put your iPhone in Airplane 
Mode and switch on only the Wi-Fi afterwards so that the 
other network interfaces remain off. 
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To begin with, you need to route the traffic of the phone through your computer 
in order to pose yourself as man in the middle. To use the trick in your ssh 
configuration, as we did before, start by launching iproxy and establishing an ssh 
connection to your phone as follows: 

$ iproxy 2222 22 
$ ssh usb 

Then, from your device network configuration, set up an HTTP proxy to manual 
towards localhost 127.0.0.1 port 8080. It will be redirected to your Mac to port 8080. 


•h 9 12:12 

< Wi-Fi | | 


Renew Lease 


HTTP PROXY 


Off 


Manual 


Auto 


Server 127.0.0.1 

Port 8080 

Authentication 


Manage this Network 


Now that the iPhone is set up, you need to set up a proxy listening on your local host 
port 8080. Burp Proxy is probably the most popular proxy (http : //portswigger . 
net /burp/); it is cross-platform and there is a free version that works just fine for 
our purposes. But there are many others out there, so pick your favorite one. Once an 
HTTP request has been intercepted, with Burp you can perform several actions such 
as modifying the request parameters, intercepting and modifying the response, and 
much more. 
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However, although Burp is great at intercepting the HTTP/ HTTPS protocol, you may 
want to have a look at all the traffic, because some applications may not use standard 
HTTP to communicate, and record it for further analysis on a later stage. To do so, 
you will need to install Wireshark, the standard de facto packet analyzer together 
with tcpdump, and run a capture on your loopback interface 127.0.0.1. 
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Of course, on a jailbroken iPhone, you have full control and may choose to install 
and go via tcpdump directly on the device. 

Automating the analysis 

This paragraph will quickly introduce some tools that will help you during the 
analysis either by speeding up the most common tasks or providing you with some 
extra and very useful functionalities. 

The iOS Reverse Engineering Toolkit 

The iOS Reverse Engineering Toolkit (iRET) is a set of tools that allows you 
to automate a series of tasks in order to analyze and reverse engineer the iOS 
applications. The interesting feature of this toolkit is that everything happens directly 
on the device, while you have a web interface to interact with it. Before installing 
iRET, you will need to install the following dependencies, all of which can be 
downloaded and installed via Cydia: Python (2.5.1 or 2.7), coreutils. Erica Utilities, 
file, adv-cmds. Bourne- Again Shell, iOS Toolchain (the CoolStar version), and Darwin 
CC Tools (coolstar version). The iRET application also requires keychain_dumper and 
dumpDecrypted, which you should have already installed on your iPhone (see the 
Setting up the environment section). Once all the dependencies and requirements are 
met, we can finally complete the installation of iRET. Download the zip archive from 
the official website, unzip it, and then simply copy the iRET . deb file to your iPhone. 
The link is https : / /www. veracode . com/sites/default /files/Resources/Tools/ 
iRETTool . zip. Then, from your computer, copy iRET . deb to the iPhone as follows: 

$ scp iRET. deb root@usb: /var/root/mytools/ 

Then, from your iPhone, install the package and restart the iPhone: 

# dpkg -i iRET. deb 

After restarting the iPhone, you should see the iRET application icon on your 
device. Click on it and it will tell you where to connect your browser to access 
and manage it: 
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Then, you just need to insert that address into your browser and you will be prompted 
with the iRET control panel, where you can perform all the actions available. The 
following screenshot shows an example of this: 
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The iRET application helps you in the sense that it automates several tasks that you 
would always need to run manually in order to analyze an application. Once you 
select the application to analyze, iRET offers different features that can be chosen 
by selecting one of the different tabs at the top: 

• Binary analysis: Using otool, this option extracts and shows information 
about the binary. The displayed data includes binary header information; it 
tells if Position Independent Executable (PIE), Stack Smashing Protection, 
and Automatic Resource Counting (ARC) are enabled, which would reduce 
the likelihood of finding memory corruption vulnerabilities to attack. 

• Keychain analysis: This feature automates the execution of the 
Keychain_dumper utility we have installed and seen before. 

• Database analysis: This feature provides you with a drop-down menu 
containing all databases ( . db, . sqlite, and . sqlite3) found within the 
selected application. Once a database is selected, it will display the content of 
the database. 

• Log viewer: This feature allows you to review the last entries of the system 
logs, as well as providing you with a drop-down menu with all identified log 
and text files associated with the selected application. 

• Plist viewer: This feature allows you to view the content of all of the 
property list files that were found for the selected application. 

• Header files: If the binary is encrypted, this feature will automatically decrypt 
and perform a class dump of the unencrypted binary into separate header 
files. It will then allow you to display the content of the chosen header. 

• Theos: This feature allows you to create, edit, save, and build the theos 
tweaks, making use of Cydia Substrate for runtime manipulation. 

• Screenshot: This feature allows you to view the cached screenshot of the 
selected application if present. 
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For more information about Cydia Substrate (also known as MobileSubstrate), 
Cycript and on how to manipulate the runtime, check out the following links: 

• http : // iphonedevwiki . net /index . php/MobileSubstrate 

• http://www.cycript.org/ 


idb 

Developed and maintained by Daniel Mayer, idb is a tool that simplifies some of 
the most common tasks related to the iOS application analysis. Originally built 
with a penetration tester /researcher focus, it can be of great value for any type of 
application analysis, thanks to the number of tools that incorporates and features 
offered. Written in Ruby, the installation procedure is quite straightforward; you just 
need to perform the following commands: 

$ rvm install 2.1 --enable-shared 
$ gem install bundler 

$ brew install qt cmake usbmuxd libimobiledevice 
$ git clone --recursive https://github.com/dmayer/idb.git 
$ cd idb 

$ bundle install 
$ ruby gidb . rb 

This is the procedure for Mac OS X. For more information on building and running 
it on other systems, you can refer to the official page at https : //github . com/ 
dmayer/ idb. 
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Once you have launched idb after following the configuration steps to install some 
needed tools on the device, you will have to select an application and start the 
analysis by clicking on Analyze Binary. As you can see in the following screenshot, 
on the left-hand side of the panel, this action will give the first information on 
the binary itself. As we have seen for iRET, it uses otool to verify that PIE, Stack 
Smashing Protection, and ARC are enabled, which would reduce the likelihood 
of finding memory corruption vulnerabilities to attack. Moreover, if the binary 
application is encrypted, idb will run dumpdecrypted to decrypt it before analyzing 
it. This first action is compulsory in order to enable all the others. 
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Other information related to the binary app can also be extracted from the Binary tab 
at the top of the right-hand side panel. Still from the preceding screenshot, you can 
see idb extracting all the strings from the decrypted binary. This is a standard step 
you would do when analyzing standard computer malware. This is of great use since 
here you may find the API keys, credentials, encryption keys, URLs, and other useful 
hints. From a static analysis perspective, idb binary analysis allows you to dump all 
the class information. 

Talking about data at rest, under the Storage tab, you will be able to analyze all the 
files related to your target application, such as pi is t, the sqlite databases, and 
Cache . db, which contains cached HTTP requests/responses and offline data cached 
by web applications such as images, HTML, JavaScript, style sheets, and more. The 
idb tool will also allow you to navigate through the app tree structure from the 
Filesystem tab, taking and storing subsequent different snapshots to navigate and 
compare at a later stage. 

Two other interesting functionalities provided are the URL Handlers, which shows 
you the list of the URL handlers and includes a basic fuzzer that can be used to fuzz 
input data via the URL schemes, and the Keychain dumper, which is a functionality 
that allows you to dump the keychain similar to iRET but using keychain_dump 
from iphone_dataprotection Sogeti's tool (https : / / code . google . com/p/ 
iphone -dataprotect ion/). 

The Tools tab contains several different tools that are quite handy; they are 
as follows: 

• Background screenshot: Although this tool is more useful for forensics/ 
security purposes, it looks for an eventual screenshot taken by the 
system when putting the application in the background by pushing the 
Home button. 

• Certification manager: This tool will speed up the management and installation 
of the CA certificate. This is extremely useful, for example, when using Burp for 
HTTPS traffic and an application that actually checks that SSL is in place. 
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• /etc/hosts file editor: As we have seen before for the data in transit, apps not 
always use the HTTP/s protocol, so Burp will not intercept. With this editor, 
you can quickly access and modify /etc/hosts of the iPhone in order to 
redirect the traffic towards custom services you may have fired up for 
the analysis. 


% gidb 


Storage 


Log 


iOS takes an automatic screenshot whenever an app is placed into the background. This Wizard walks you through the steps that are required verify that the assessed app 
properly protects sensitive data before backgrounding. 

Check for Automatic Background Screenshot 


This tool allows you to manage SSL CA certificates both on iOS devices and the iOS simulator. For devices, the certificates are installed via Safari and a private web server run 
by idb. For the simulator they are directly stored in the simulator's truststore. Please report any problems with either system on glthub. 


Launch Certificate Manager 


Install Burp Cert 


/elc/hoUi File Editor 
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» 

127.0.0.1 localhost 
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10.1.2.3 myfake.honeypot.com 


Last but not least, idb offers a real-time log (syslog) and pasteboard viewer (refer 
to the following screenshot) via the Log and Pasteboard tabs, respectively. Although 
it may not seem of great use to monitor the pasteboard when you are the one testing 
the application, it may surprise you to know that applications use the pasteboard 
also for Inter-Process Communication (IPC). By default, idb monitors only the main 
(default) pasteboard, but you can add additional pasteboard names to the list on the 
right-hand side so that you will also be able to monitor the private pasteboards. 
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Regarding the Log panel, idb includes both system messages and any log statements 
that the app produces using NSLog, which often discloses sensitive data. 


%qidb 


Please wait.. Streaming device syslog... 
[connected] 


ASL is here to serve you 


Aug 13 18:00 35 kernel[0] <Debug> launchd[S499| Container: /privatc/var/moblle/Appllcations/95550DFF 3FE8 426S 9378 9DC12867C8ED (sandbox) 
Aug 13 18 00 35 WhatsApp(5499] <Nolice> MS Notice Injecting nci.whatsapp.WhatsApp [WhatsAppJ (847.27) 

Aug 13 18 00.36 backboardd(S 34) <Error>. HID The 'Passive' connection WhatsApp' access to protected services is denied. 

Aug 13 18:00:37 ubd|5500] <Notice>: MS Notice Injecting: com.applc.ubd [ubd] (847.27) 

Aug 13 18 00 38 librariandlllS] <Error>: ubiquity account is not configured (or is disabled for this client), not creating collection 
Aug 13 18 00:38 librariandlllS] <Errer>: error In _hand!e_cltent_request UbrarlanErrorOomaln/ 10/Unable to configure the collection. 

Aug 13 18 00 38 librariandlllS] <Error>: ubiquity account is not configured (or is disabled for this client), not creating collection 
Aug 13 18 00 38 librarland|llS| <Error> error In .handle _client_request UbrarianErrorOomaln/ 10/Unable to configure the collection. 

Aug 13 18 00 38 Wha(sApp[S499] <Error> error registering for item updates 


Aug 13 18:00:39 awdd[5S02] <Notice> MS Notice: Injecting: (null) (awdd) (847.27) 

Aug 13 18 00 40 awdd[5502| <Error> Corel oration Cl Client is deprecated. Will be obsolete soon. 


Aug 13 18 00 44 WhatsApp(5499] <Notice> (Warn ) [ABLogI <ABSource.c ABAddressBookCopyDefaultSource:lll> Actual default source doesn't exist 
Aug 13 18:00 44 WhatsApp[5499] <Notice> (Warn ) [ABlogj <ABSource.c ABAddressBookCopyDefaullSource:lll> Actual default source doesn't exist 


Stop 


Summary 

In this chapter, we introduced some tools for the analyzing of the iOS applications, 
suspicious or not, mainly from a behavioral/ dynamic point of view. You learned 
how to quickly analyze the binary, how to review the data and logs produced by 
the targeted application, how to intercept, manipulate, and analyze the data sent 
and received over the network, and how to automate most of the tasks with ad-hoc 
toolkits, such as iRET and idb. 
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Self-test questions 

1. Which tool can be used to extract Objective-C class information from iOS 
applications? 

1. OpenSSH 

2. MobileTerminal 

3. class-dump-z 

4. Keychain Dumper 

2. Which tool can be used to dump an unencrypted application from memory? 

1. usbmuxd 

2. Keychain Dumper 

3. dumpDecrypted 

4. OpenSSH 

3. Which tool can be used to verify the pasteboard content? 

1. dumpDecrypted 

2. iRet 

3. iLoot 

4. idb 

4. Which tools would you use to best analyze data in transit? 

1. Burp Proxy + Wireshark 

2. iproxy + Wireshark 

3. dumpDecrypted + tcpdump 

4. iRET + iproxy 

5. Which set of tools allow automating a series of tasks in order to analyze and 
reverse engineer iOS Applications? 

1. iLoot 

2. iRet 

3. class-dump-z 

4. dumpDecrypted 
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MANUALS/ 1 0 00 /MAI 5 96 /en_US/ ipod_touch_user_guide . pdf 

• iPod Touch Tech Specs is available at http : //support . apple . com/ 
specs/ #ipodtouch 

• How to find the serial number, IMEI, MEID, CDN, and ICCID number for 
iOS can be viewed at http : //support . apple . com/kb/ht4061 

• Back up and restore your iOS device with iCloud or iTunes can be viewed at 
http : / / support . apple . com/kb/HT1766 

• Information about iOS backups (iTunes) is available at 
http : / / support . apple . com/kb/ht4946 

• Protect your iOS device using the information available at 
http : / / support . apple . com/kb/HT5874 

• Forgot passcode or device disabled (iOS) information is available at 
http : / / support . apple . com/kb/HT1212 

• iCloud storage and backup overview is available at 
http : // support . apple . com/kb/PH12519 

• Information about troubleshooting and creating an iCloud backup is 
available at http : / / support . apple . com/kb/TS3 992 

• HFS Plus Volume Format is available at https : //developer . apple . com/ 
legacy/library/ technotes/tn/ tnll50 . html 
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Device security and data protection 

If the reader is interested in learning more about the security of iOS devices, the 
following are the most interesting researches carried out: 

• Identifying Back Doors, Attack Points, and Surveillance Mechanisms in 
iOS Devices, Jonathan Zdziarski, Digital Investigation, Volume 11, Issue 1, 

March 2014, is available at http : / /www. sciencedirect . com/ science/ 
article/pii/si7422876i4000036. A related presentation is available at 
https : / /pentest . com/ ios_backdoors_attack_points_surveillance_ 
mechanisms . pdf. 

• iPhone security model & vulnerabilities, Cedric Halbronn, Jean Sigwald, Sogeti 
Lab, 2010 is available at http : / /esec-lab . sogeti . com/ dot clear /public/ 
publ icat ions/ 10-hitbkl -iphone . pdf. 

• iPhone data protection in depth, Jean-Baptiste Bedrune, Jean Sigwald, Sogeti 
Lab, 2012 is available at http : / /blog . pollito . f r/public/ 2012 / 06/ 11 - 
hitbamsterdam- iphonedataprotection . pdf. 

• Forensics iOS, Jean-Baptiste Bedrune, Jean Sigwald is available at https : //www . 
sstic . org/media/ SSTIC2012/SSTIC-actes/f orensicsios/ SSTI C20 12- 
Slides -forensic sios-sigwald_bedrune .pdf. 

• Overcoming data protection to re-enable iOS forensics, Audrey Belenko, Black 
Hat USA, 2011 is available at https : / /media . blackhat . com/bh-us- 11/ 
Belenko/BH_US_ll_Belenko_iOS_Forensics_Slides . pdf. 

• Handling iOS encryption in a forensic investigation, Jochem van Kerkwijk, 
Universiteit van Amsterdam, 2011 is available at http : //www . delaat . net/ 
rp/2010-201l/p26/report .pdf. 

• iOS Keychain Weakness FAQ, Jens Heider, Rachid El Khayari, Fraunhofer Institute 
for Secure Information Technology (SIT), 2012 is available at http : //sit . sit . 
f raunhof er . de/ studies/en/ sc -iphone -pas swords -f aq .pdf . 

• Lost iPhone? Lost Passwords!, Jens Heider, Matthias Boll, Fraunhofer Institute 
for Secure Information Technology (SIT), 2011 is available at https : //www. 
sit . f raunhof er . de/ f ileadmin/ dokumente/ studien_und_technical_ 
reports/Whitepaper_Lost_iPhone . pdf. 

• iOS Encryption Systems, Peter Teufl, Thomas Zefferer, Christof Stromberger, 
Christoph Heckhenblaikner, Institute for Applied Information Processing and 
Communications, 2014 is available at http : //www. a- sit .at /pdf s/ 
Technologiebeobachtung/ ios- encrypt ion- systems . pdf. 
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Device hardening 

Information on how to harden an iOS device can be found in the following papers: 

• CIS Apple iOS 8 Benchmark, Center for Internet Security, 2014 is available 
at http : //benchmarks . cisecurity.org/downloads/ show- 
single/?f ile=appleios8 . 100 

• CIS Apple iOS 7 Benchmark, Center for Internet Security, 2013 is available 
at http : //benchmarks . cisecurity.org/downloads/ show- 
single/?f ile=appleios7 . 100 

• iOS Hardening Configuration Guide, Australian Government - Department of 
Defence, 2012 is available at http : / /www.asd . gov.au/publications/ iOS5_ 
Hardening_Guide .pdf 

• Security Configuration Recommendations for Apple iOS 5 Devices, National 
Security Agency, 2 012 is available at http : / /www . nsa . gov/ ia/_f iles/os/ 
applemac/apple_ios_5_guide . pdf 

iTunes backup 

Among the papers and articles related to the iTunes backup structure and analysis 

the most interesting are: 

• Information about MBDB and MBDX formats can be found at http : //code . 
google . com/p/ iphonebackupbrowser/wiki/MbdbMbdxFormat 

• iPhone 3GS Forensics: Logical analysis using Apple iTunes Backup Utility, Mona 
Bader, Ibrahim Baggili, Small Scale Digital Device Forensics Journal, 2010 is 
available at http : // security learn . ne t/wp- content /uploads /iOS%20 
Resources/ i Phone %203GS%20Forensics%20Logical%20analysis%20 
using%20Apple%20iTunes%20Backup%20Utility . pdf 

• Forensic Analysis of iPhone backups is available at http : / /www . exploit - db . 
com/ wp- content/ themes /exploit /docs/ 19 76 7 .pdf 

• Information about Encrypted iTunes backups by Hal Pomeranz in the 
video Forensic Lunch, 2014 is available at http : / /www . youtube . com/ 
watch?v=mNL0okxME5A 

• Information about iTunes backup analysis by Vladimir Katalov, 2013, Elcomsoft 
Blog can be found at http : / /blog . crackpas sword . com/2 013/ 09/ itunes_ 
backup_analysis/ 

• Advanced Smartphone Forensics, Vladimir Katalov, ElcomSoft Co. Ltd, 2014 is 
available at http : // elcomsof t . com/present at ions /nullcon2 014 .pdf 
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• Using PC Backups in Mobile Forensics, Gilad Sahar, Cellebrite is available at 
http : // thetrainingco . com/Techno-2013-PDF/TUESDAY/Tl%20Sahar%20 
-%20Using%20PC%20Backups%20in%20Mobile%20 Forensics .pdf 

• Looking to iPhone backup files for evidence extraction, Clinton Carpene, School 

of Computer and Security Science, Edith Cowan University is available at http -.// 
ro . ecu . edu . au/ cgi/viewcontent . cgi?article=1091&context=adf 

• iPhone Backup Files. A penetration Tester's Treasure, Darren Manners, Tire 
SANS Institute, 2011 is available at http : / /www. sans . org/reading-room/ 
whitepapers/ testing/ iphone -backup- files -penetration- testers - 
treasure-33859 

iCIoud Backup 

Various presentations about iCIoud Backup illustrate the most interesting concepts 
from a security and forensics point of view: 

• Advanced Smartphone Forensics, Vladimir Katalov, ElcomSoft Co. Ltd, 2014 is 
available at http : // elcomsof t . com/present at ions /nullcon2 014 .pdf 

• iCIoud Keychain and iOS 7 Data Protection, Audrey Belenko, ViaForensics, 2013 is 
available at https : //speakerdeck.com/belenko/icloud-keychain-and- 
ios- 7 -data -protect ion 

• Modern Smartphone Forensics, Vladimir Katalov, HITBSecConf, 2013 is available 
at http : / / conference . hitb . org/hitbsecconf2013kul/materials/ 
D2T2%2 0-%2 0 Vladimir %2 0Katalov%2 0 - %2 0Cracking%2 0and%2 0 
Analyzing%20Apple 1 s%20iCloud%20Protocol .pdf 

• Apple iCIoud Inside out, Vladimir Katalov, HITBSecConf, 2013 is available at 
https : / /deepsec .net/docs/Slides/2013/DeepSec_2013_Vladimir_ 
Katalov_-_Cracking_And_Analyzing_Apple_iCloud_Protocols .pdf 

• Cracking and Analyzing Apple iCIoud backups, Find My iPhone, Document 
Storage, Oleg Afonin, REcon, 2013 is available at https : //www . elcomsof t . 
com/PR/recon_2013 .pdf 

Application data analysis 

Dedicated articles, presentations and papers on specific applications data analysis 
are provided in the following list: 

• iOS Application Forensics is available at http://www.scribd.com/ 
doc/ 5 76 11 93 4 /CEIC-2 Oil -iOS -Application- Forensics 


[ 176 ] 



Appendix A 


• Third Party Application Forensics on Apple Mobile Devices, Alex Levinson, Bill 
Stackpole, Daryl Johnson is available at http : //www . researchgate . net/ 
publication/224221519_Third_Party_Application_Forensics_on_ 

App 1 e_Mob i 1 e_Devi c e s 

• The Investigation iOS Phone Images, File Dumps & Backups article is available at 
http : / /www . magnet forensics . com/ inve stigating- ios -phone- images - 
f ile- dumps -backups/ 

• The Analysis OfiOS Notes App article is available at http : //articles . 
forensic focus . com/2 013/ 11/ 02 /analysis -of -ios -notes -app/ 

• Forensic Artifacts of the ChatOn Instant Messaging application, Iqbal A., 
Marrington A., Baggili I., IEEE is available at http : // ieeexplore . ieee . org/ 
xpl/articleDetails . j sp?reload=true&arnumber=6911538 

• Forensic analysis of social networking applications on mobile devices, Noora Al 
Mutawa, Ibrahim Baggili, Andrew Marrington, Elsevier Ltd. is available at 
http: / /www.dfrws .org/2012/proceedings/DFRWS2012-3 .pdf 

• The From iPhone to Access Point article is available at http : //articles . 
f orensicf ocus . com/2013/ 09/ 03/from-iphone-to-access-point/ 

• Analysis ofWeChat on iPhone, Feng Gao, Ying Zhang, Atlantis Press can be 
downloaded from http : / /www. at lant is -press . com/php/ download_ 
paper . php?id=10185 

• Know Your Suspect - Uncovering Hidden Evidence from Mobile Devices with 
Oxygen Forensics is available at http : / /www. f orensicf ocus . com/c/ 

aid= 74 /webinars/20 14 /know -your- suspect uncove ring- hidden- 

evidence -from-mobile- devices -with- oxygen- forensics/ 

• Information about iPhone Call History Database is available at 
http : // avi . alkalay . net /2 011/ 12 / iphone-call-history.html 

• iPhone Call History, Detective Richard Gilleland is available at 
http : / / cryptome . org/isp-spy/iphone-spy2 .pdf 

• The Who's Texting? Tire iOS6 sms.db article is available at 

http : / /linuxsleuthing . blogspot .it/2013/05/ ios 6 -photo- streams - 
recover-deleted . html 

• The Parsing the iPhone SMS Database article is available at 

http : / /linuxsleuthing . blogspot .it/2011/ 0 2 /parsing -iphone -sms - 
database . html 

• The Addressing the iOS 6 Address Book and SQLite Pitfalls article is available 
at http: //linuxsleuthing . blogspot . it/2012/10/addressing-ios6- 
address-book-and-sqlite .html 
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• The iOS 6 Photo Streams: "Recover" Deleted Camera Roll Photos article is 
available at http : / /linuxsleuthing . blogspot .it/ 2 013/05/ ios6-photo- 
streams-recover-deleted . html 

• The Recovering Data from Deleted SQLite Records: Redux article is available at 
http : / /linuxsleuthing . blogspot .it/2013/ 0 9/recove ring-data- from- 
deleted-sqlite .html 

• The SQLite Data Parser to Recover Deleted Records blog is available at 
http : // az4n6 . blogspot .it/2014/ 0 9/sqlite- deleted- data -par ser- 
gui - added . html 

• Social Networking Applications on Mobile Devices, Noora Al Mutawa, Ibrahim 
Baggili, Andrew Marrington is available at http://www.ccse.kfupm.edu. 
sa/ -ahmadsm/ coe58 9- 12 l/almutawa2 012 -social -network-mobile- 
slides . pdf 

• Forensic Acquisition and Analysis of Tango VoIP, Nhien-An Le-Khac, Christos 
Sgaras, M-Tahar Kechadi is available at https : //www . insight -centre . org/ 
sites /default/ f iles /publications /icciet- 2 014 . pdf 

• Challenges in Obtaining and Analyzing Information from Mobile Devices, Davydov, 
2014 is available at http : / /computerf orensicsblog . Champlain . edu/wp- 
content/uploads/2014 /05/ Chal lenges- in- Obtaining -and- Analyzing- 
Inf ormation- from- Mobile- Devices -DavydovO- 5 -2 0-2 014 .pdf 

• The Smartphone Forensics poster by SANS DFIR is available at 
https : / / digital -forensics . sans . org/media/DFIR- Smartphone- 
Forensics- Poster .pdf 


Related books 

Other previous books on the same topic are: 

• Bommisetty, Satish, Tamma, Rob it, Mahalik Heather, Practical Mobile 
Forensics, Packt Publishing, 2014 

• Zdziarski, Jonathan, Hacking and Securing iOS Applications, O'Reilly, 2012 

• Miller, Charlie, Blazakis, Dyonysus, Dai Zovi, Dino, Esser, Stefan, Iozzo, 
Vincenzo, Weinmann, Ralf-Philip, iOS Hacker's Handbook, John Wiley & 

Sons, 2012 

• Hogg, Andrew, Strzempka, Katie, iPhone and iOS Forensics: Investigation, 
Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices, Syngress, 2011 

• Casey, Eoghan, Digital Evidence and Computer Crime: Forensic Science, 
Computers, and the Internet Third Edition, Academic Press, 2011 
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• Morrissey, Sean, iOS Forensic Analysis: for iPhone, iPad, and iPod touch, 
Apress, 2010 

• Jonathan, Zdziarski, iPhone Forensics, O'Reilly, 2008 

• Kubasiak, Ryan, Morrissey, Sean, Mac OS X, iPod, and iPhone Forensics 
Analysis Toolkit, Syngress, 2008 

• Casey, Eoghan, Digital Evidence and Computer Crime First Edition, Academic 
Press, 2000 
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Tools for iOS Forensics 


Acquisition tools 

The list of physical acquisition tools (iPhone 2G/3G/3GS/4, iPad 1, iPod touch 
1/ 2/3/4) is as follows: 

• UFED Physical Analyzer: http : / /www . cellebrite . com 

• Elcomsoft iOS Forensic Toolkit: http : / /www. elcomsoft . com/ 

• AccessData Mobile Phone Examiner Plus: http : //www . accessdata . com/ 
solutions /digital -forensics /mobile -phone -examiner 

• Lantern: https : //katanaforensics . com/ 

• XRY: http : / / www . msab . com/ 

• iXAM forensics: http : / /www . ixam- forensics . com/ 

• iPhone data protection tools: https : / / code . google . com/p/ iphone - 
dataprotection/ 

• Zdziarski Method: http : / / www . iosresearch . org/ 

• Paraben's Device Seizure: https : / /www.paraben. com/device-seizure . 
html 

For physical acquisition tools (jailbroken iPhone 4s/5/5c, iPad 2/3/4, iPad Mini 1) 
you can use Elcomsoft iOS Forensic Toolkit. 

For advanced logical acquisition tools (all models) you can choose UFED Physical 
Analyzer. 


Tools for iOS Forensics 

A list of logical/backup acquisition tools (all models) is as follows: 

• iTunes: https : //www . apple . com/ i tunes /download/ 

• Libimobiledevice: http : / /www . libimobiledevice . org/ 

• UFED Physical Analyzer/UFED 4PC/Ufed Touch: http : / / www . 
cellebrite . com 

• Oxygen Forensic® Suite Standard/Analyst: http : / /www . oxygen- 
forensic . com/en/ 

• Mobiledit Forensic: http : / /www . mobiledit . com/ forensic 

• AccessData Mobile Phone Examiner Plus: http : //www . accessdata . com/ 
solutions /digital -forensics /mobile -phone -examiner 

• Lantern: https : //katanaforensics . com/ 

• XRY: http : / / www . msab . com/ 

• Paraben's Device Seizure: https : / /www.paraben. com/device-seizure . 
html 

iDevice browsing tools and other 
nonforensic tools 

A list of iDevice browsing tools and other nonforensic tools is as follows: 

• Wondershare Dr.Fone iOS: http : / /www. wondershare . com/ data- 
recovery-mac/mac- iphone -data -recovery . html 

• iSkysoft iPhone Data Recovery: http : / /www . iskysof t . com/ iphone -data - 
recovery/ 

• iFunBox: http : / / www . i - f unbox . com/ 

• iMazing: http : //imazing . com/ 

• iExplorer: http : / / www . macroplant . com/ iexplorer/ 

• PhoneView: http://www.ecamm.com/mac/phoneview/ 

iDevice backup analyzer 

A list of iDevice backup analyzers is as follows: 

• UFED Physical Analyzer/UFED 4PC/Ufed Touch: http : / / www . 
cellebrite . com 


[ 182 ] 



Appendix B 


• Oxygen Forensic® Suite Standard/Analyst: http : //www . oxygen- 
forensic . com/en/ 

• Elcomsoft Phone Viewer: http : / /www . elcomsof t . com/ epv.html 

• Mobiledit Forensic: http : / /www . mobiledit . com/ forensic 

• AccessData Mobile Phone Examiner Plus: http : //www . accessdata . com/ 
solutions /digital -forensics /mobile -phone -examiner 

• iPhone Backup Analyzer: http : / / www . ipbackupanalyzer . com/ 

• iPhone Analyzer: http : / /www . crypticbit . com/ zen/products/ 
iphoneanalyzer 

• iPhone Backup Browser: https : / /code . google . com/p/ 
iphonebackupbrowser/ 

• Super Crazy Awesome iPhone Backup Extractor: http : / / 
supercrazyawesome . com/ 

• Apple iTunes Backup Parser EnScript: http: //www.proactivediscovery . 
com/apple-i tunes -backup -parser/ 

• iBackupBot: http://www.icopybot.com/itunes-backup-manager.htm 

• iPhone Backup Extractor: http : / / www . iphonebackupextractor . com/ 

• iPhone Backup Viewer: http : / /www . imactools . com/ 
iphonebackupviewer/ 

• iBackup Extractor: http://www.wideanglesoftware.com/ 
ibackupextractor/ 

• Smsiphone.org: http://www.smsiphone.org/ 

• iTunes Backup Extractor: http://www.backuptrans.com/itunes-backup- 
extractor . html 

iDevice encrypted backup 

A list of tools to analyze an iDevice encrypted backup is as follows: 

• Elcomsoft Phone Password Breaker: http: / /www. elcomsof t .com/eppb. 
html 

• iPhone Backup Unlocker: http : / /www . windowspasswordsrecovery . com/ 
product/ iphone-backup-unlocker . htm 

• Mbdb file parser: https://github.com/halpomeranz/mbdbls 
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iCIoud Backup 

A list of tools to analyze an iCIoud Backup is as follows: 

• Elcomsoft Phone Password Breaker: http: / /www.elcomsoft .com/eppb. 
html 

• Wondershare Dr.Fone iOS: http : / /www. wondershare . com/ data- 
recovery-mac/mac - iphone - data - recovery . html 

• iPhone Data Recovery: http : / /www . tenor share . com/products/ iphone - 
data-recovery-win . html 

• iLoot: https://github.com/hackappcom/iloot 

Jailbreaking tools 

For more information on the jailbreaking tools, refer to the iPhone Wiki jailbreaking 
tools page at http : / / theiphonewiki . com/wiki/ Jailbreak. 


iOS 8 

For iOS 8, refer to the following list: 

• Pangu: http : //en .pangu . io/ 

• Taig: http : / /www . taig . com/ en/ 


iOS 7 

For iOS 7, refer to the following list: 

• Pangu: http : //en . 7 . pangu . io/ 

• Evasi0n7: http : //evasion . com/ 

• GeeksnOw: http : //geeksnOw. it/ 


iOS 6 

For iOS 6, refer to the following list: 

• EvasiOn: http : / /evasion . com/iOS6/ 

• RedsnOw: http : / /blog . iphone-dev.org/tagged/ redsnOw 

• SnOwbreeze: http : //ihSsnOw . com/ 

• POsixspwn: http://pOsixspwn.com/ 
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Data analysis 

All the acquisition tools previously illustrated also have analysis features; for this 
reason here we list the tools only dedicated to data analysis/ parsing. 

Forensic toolkit 

A list of forensic toolkits is as follows: 

• AccessData FTK: http : / /accessdata . com/ solutions/digital- 
forensics/forensic -toolkit -f tk 

• GuidanceSoftware Encase Forensic: https : / /www . guidancesof tware . 
com/product s/ Pages /encase - f orensic /overview. aspx 

• X-Ways Forensics: http : / /www . x-ways . net/ forensics/ index-m . html 

• WinHex: http : / /www . x-ways . net/winhex/ 

• BlackBag Blacklight: https : //www.blackbagtech. com/ software- 
products /blacklight -6 /blacklight . html 


SQLite viewer 

The tools to analyse SQLite databases are as follows: 

• SQLite Database Browser: http : / /sqlitebrowser . org/ 

• SQLite Expert: http : / /www. sqliteexpert . com/ 

• SQLite Studio: http : / /sqlitestudio .pi/ 

• SQLite Manager: https : / / addons . mozilla . org/ en-US/f irefox/ addon/ 
sqlite -manager/ 

• SQLite Spy: http : / /www . yunqa . de/delphi/doku . php/products/ 
sqlitespy/ index 

• SQLite Forensic Reporter: http : / /www . files ig . co . uk/ sqlite-f orensic - 
reporter . html 


SQLite record carver 

The tools for SQLite record carver are as follows: 

• SQLite Recovery Python Parser: http: //az4n6 .blogspot .it/2013/11/ 
python-parser-to-recover-deleted-sqlite .html and https : / /github. 
com/mdegrazia/SQLite-Deleted-Records- Parser 
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• Epilog: http : //www . cclgroupltd . com/product/ epilog- sqlite- 
forensic-tool/ 

• Oxygen Forensics SQLite Viewer: http://www.oxygen-forensic.com/en/ 
features /analyst /data -viewers/ sqlite -viewer 

• SQLite Recovery: http : / / sandersonf orensics . com/ forum/content . 
php?190-SQLite-Recovery 

• Undark: http : / /pldaniels . com/undark/ 


Plist viewer 

The tools to analyse Plist files are as follows: 

• Plist Editor Pro for Windows: http : / /www . icopybot . com/plist -editor . 
htm 

• Oxygen Forensics Plist Viewer: http : / /www . oxygen- forensic . com/ en/ 
features /analyst /data- viewers/plist- viewer 

• PlistEdit Pro: http : //f atcatsof tware . com/plisteditpro/ 

• Pip: http : / /www. cclgroupltd . com/product /pip-xml -and-plist -parser/ 

iOS analysis suite 

The most interesting iOS analysis suites are as follows: 

• Internet Evidence Finder: http: / / www . magnetf orensics . com/ 

• BlackLight: https : / /www . blackbagtech . com/ 

• iPhone Tools: https : //code . google . com/p/linuxsleuthing/downloads/ 
list 

App analysis tools 

The app analysis tools are listed as follows: 

• SkypeExtractor: http : / / www . skypextractor . com/ 

• SkypeLogView: http://nirsoft.net/utils/skype_log_view.html 

• Safari Forensic Tools: http : / / j af at . sourcef orge . net/ files . html 

• iPhone History Parser: http : / /az4n6 .blogspot . it/2014/07/ safari- 
and- iphone - internet -history . html 

• iThmb Converter: http://www.ithmbconverter.com/ 
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• Ultra File Opener: http : / /www . ultraf ileopener . com/ formats/ ithmb/ 

• class-dump-z: https://code.google.eom/p/networkpx/wiki/class_ 
dump_z 

• Keychain Dumper: https://github.com/ptoomey3/Keychain-Dumper 


Consolidated.db 

The tools for Consolidated . db are as follows: 

• iStalkr: http://www.evigator.com/free-apps/ 

• iPhone Tracker: http : / /petewarden . github . io/ iPhoneTracker/ 

• iOS Tracker: http : / / tom. zickel . org/ iostracker/ 

App reverse engineering tools 

The app reverse engineering tools are as follows: 

• class-dump-z: https://code.google.eom/p/networkpx/wiki/class_ 
dump_z 

• Keychain Dumper: https://github.com/ptoomey3/Keychain-Dumper 

• Dump Decrypted: https : / /github . com/stef anesser/dumpdecrypted 

• Read Mem: https : / / github . com/gdbinit/readmem 

• iOS Reverse Engineering Toolkit (iRET): https : //www . veracode . com/ 
i ret - ios- reverse -engineering- toolkit 

• Idb: https : //github . com/dmayer/ idb 
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Self-test Answers 


Chapter 1: Digital and Mobile Forensics 


Question No. 

Correct option 

1 

3 

2 

4 

3 

2 

4 

3 


Chapter 2: Introduction to iOS Devices 


Question No. 

Correct option 

1 

3 

2 

2 

3 

4 

4 

3 

5 

4 

6 

3 


Chapter 3: Evidence Acquisition from iDevices 


Question No. 

Correct option 

1 

3 

2 

1 

3 

1 

4 

2 

5 

2 







Self-test Answers 


Chapter 4: Analyzing iOS Devices 


Question No. 

Correct option 

1 

1 

2 

4 

3 

3 

4 

3 

5 

2 

6 

2 

7 

3 

8 

3 


Chapter 5: Evidence Acquisition and Analysis from 
iTunes Backup 


Question No. 

Correct option 

1 

1 

2 

2 

3 

4 

4 

2 


Chapter 6: Evidence Acquisition and Analysis from iCIoud 


Question No. 

Correct option 

1 

3 

2 

2 

3 

4 

4 

3 


Chapter 7: Applications and Malware Analysis 


Question No. 

Correct option 

1 

3 

2 

3 

3 

4 

4 

1 

5 

2 
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